On 1/5/11, Lasse Reichstein <[email protected]> wrote: > Another problem is that you accept numeric values above 256 from > charCodeAt, but assume that it's only 8 bits.
Generally, I think it would be safer to test the value to be one of the ones you accept, with some if-statements, and bail out if it's not. You can't rely on the object not having a property, since an attacker could add any property to the prototype. I.e., don't do lookups on values that are not known to be safe. Any lookup on a property that you haven't added yourself could call a getter that captures and modifies your object. You could also use a switch statement instead of the dictionary objects, but if you know that you only do lookups on values that you have added properties for, it should be safe. /L -- To view archived discussions from the original JSMentors Mailman list: http://www.mail-archive.com/[email protected]/ To search via a non-Google archive, visit here: http://www.mail-archive.com/[email protected]/ To unsubscribe from this group, send email to [email protected]
