Now that I'm awake, it strikes me that this might be the obvious solution:
function decode(text) {
if (typeof(decodeURIComponent) != "undefined") {
return decodeURIComponent(text);
} else {
return unescape(text);
}
}
Try to patch it in a repackage the source code and let us know how it
works. It's slightly less efficient code, but we might optimize some
of that away if it works.
Cheers,
/Per
On Fri, Jul 17, 2009 at 05:19, Bob Ippolito<[email protected]> wrote:
>
> There are various ways it could be rewritten, but without knowing
> exactly how stupid the IPS is it's hard to say which permutation would
> pass its test. Someone who can reproduce this issue should spend some
> time with it and produce a patch.
>
> On Thu, Jul 16, 2009 at 6:34 PM, Michael<[email protected]> wrote:
>>
>> I have found a problem with MochiKit Base.js and the intrusion
>> protection system at work. The IPS truncates Base.js because it
>> assigns the unescape() function to a variable (in parseQueryString(),
>> line 1225 in version 1.4.2 of Base.js). The IPS response is documented
>> here:
>>
>> http://www.iss.net/security_center/reference/vuln/JavaScript_Unescape_Obfuscation.htm
>>
>> Has anybody else seen this behaviour? Could the code be re-written to
>> not use that reassignment?
>>
>>
>> (I discovered this because MarkMail does not work, and it uses a
>> compressed version of MochiKit 1.4.)
>>
>>
>> >
>>
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"MochiKit" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/mochikit?hl=en
-~----------~----~----~----~------~----~------~--~---
