Now that I'm awake, it strikes me that this might be the obvious solution:

   function decode(text) {
       if (typeof(decodeURIComponent) != "undefined") {
           return decodeURIComponent(text);
       } else {
           return unescape(text);
       }
   }

Try to patch it in a repackage the source code and let us know how it
works. It's slightly less efficient code, but we might optimize some
of that away if it works.

Cheers,

/Per

On Fri, Jul 17, 2009 at 05:19, Bob Ippolito<b...@redivi.com> wrote:
>
> There are various ways it could be rewritten, but without knowing
> exactly how stupid the IPS is it's hard to say which permutation would
> pass its test. Someone who can reproduce this issue should spend some
> time with it and produce a patch.
>
> On Thu, Jul 16, 2009 at 6:34 PM, Michael<mstras...@gmail.com> wrote:
>>
>> I have found a problem with MochiKit Base.js and the intrusion
>> protection system at work. The IPS truncates Base.js because it
>> assigns the unescape() function to a variable (in parseQueryString(),
>> line 1225 in version 1.4.2 of Base.js). The IPS response is documented
>> here:
>>
>> http://www.iss.net/security_center/reference/vuln/JavaScript_Unescape_Obfuscation.htm
>>
>> Has anybody else seen this behaviour? Could the code be re-written to
>> not use that reassignment?
>>
>>
>> (I discovered this because MarkMail does not work, and it uses a
>> compressed version of MochiKit 1.4.)
>>
>>
>> >
>>
>
> >
>

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"MochiKit" group.
To post to this group, send email to mochikit@googlegroups.com
To unsubscribe from this group, send email to 
mochikit+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/mochikit?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to