On Sun, 02 Jan 2011 19:30:11 -0000, Lasse Reichstein
<[email protected]> wrote:
I've tried that few years ago, but back then browsers executed Array
and String constructors for literals. This is fixed now, right?
Pretty certainly. Do you remember which browser and version had this
problem?
Firefox 2 and others. http://ejohn.org/blog/re-securing-json/
Can I call untrusted functions without exposing the function in
arguments.callee?
No, arguments.callee still exists, sadly. To avoid that, you'll need some
intermediate function to do the calling. But then again, given the next
question, there isn't really any function you would want to call.
I've got an idea. I could verify that charCodeAt didn't lie:
charcode = 0+hostname.charCodeAt(i);
verified_hostname += {97:"a", 98:"b", …}[charcode];
…
if (location.hostname == verified_hostname)
You can only really use features that have specific syntax (function
call, property access), and not anything that might call an internal
function.
And you should be prepared for any object property write to maybe hit a
setter.
delete obj.property;
if (!'property' in obj) { // check if setter wasn't in prototype
obj.property = value; // is that safe?
}
You can create literals, including Array and Object literals, but you
must expect their prototypes to be tainted, including having
getter/setter properties (currently some browsers mistakenly trigger
these on literal creation, let's hope that gets fixed soon).
Do you have more info on this?
--
regards, porneL
--
To view archived discussions from the original JSMentors Mailman list:
http://www.mail-archive.com/[email protected]/
To search via a non-Google archive, visit here:
http://www.mail-archive.com/[email protected]/
To unsubscribe from this group, send email to
[email protected]
