On Sun, 02 Jan 2011 23:33:08 +0100, porneL <[email protected]> wrote:
On Sun, 02 Jan 2011 19:30:11 -0000, Lasse Reichstein
<[email protected]> wrote:
Pretty certainly. Do you remember which browser and version had this
problem?
Firefox 2 and others. http://ejohn.org/blog/re-securing-json/
Thanks. Good thing that was fixed.
I've got an idea. I could verify that charCodeAt didn't lie:
charcode = 0+hostname.charCodeAt(i);
verified_hostname += {97:"a", 98:"b", …}[charcode];
…
if (location.hostname == verified_hostname)
Nice. Checking that you aren't being lied to is good enough in this case,
since you can just stop working in bad cases.
delete obj.property;
You may also want to check the value of the delete expression.
if (!'property' in obj) { // check if setter wasn't in prototype
This should probably be parenthesized as
if (!('property' in obj)) {
obj.property = value; // is that safe?
You should check that the setting succeedes. Objects can be sealed to
prevent
further properties from being added. If it's your own object (created using
an object literal), then you know it isn't sealed as long as you haven't
exposed
it to anybody, but then you also don't need to delete obj.property (it
can't affect
the prototype anyway).
}
You can create literals, including Array and Object literals, but you
must expect their prototypes to be tainted, including having
getter/setter properties (currently some browsers mistakenly trigger
these on literal creation, let's hope that gets fixed soon).
Do you have more info on this?
https://mail.mozilla.org/pipermail/es-discuss/2010-December/012493.html
/L
--
To view archived discussions from the original JSMentors Mailman list:
http://www.mail-archive.com/[email protected]/
To search via a non-Google archive, visit here:
http://www.mail-archive.com/[email protected]/
To unsubscribe from this group, send email to
[email protected]
