Thanks Per for your analysis. I think your suggestion will work. Who
will try it? I am not a MochiKit user directly. I'm a MarkMail user
who investigated why he can't view articles at work.

At work I am getting an exception made to allow JavaScript from
markmail.org. But that doesn't help anyone else wanting to use a site
using MochiKit inside a similarly-protected environment.

The IDS information I have is that a Proventia device scans JavaScript
files. It truncates any that contain a reassignment of the unescape()
function to a variable because that is considered a vulnerability. I
have tested at work with a minimal JavaScript file and found that
Per's suggested modification is not blocked.

—Michael

On Jul 17, 4:07 pm, Per Cederberg <cederb...@gmail.com> wrote:
> Now that I'm awake, it strikes me that this might be the obvious solution:
>
>    function decode(text) {
>        if (typeof(decodeURIComponent) != "undefined") {
>            return decodeURIComponent(text);
>        } else {
>            return unescape(text);
>        }
>    }
>
> Try to patch it in a repackage the source code and let us know how it
> works. It's slightly less efficient code, but we might optimize some
> of that away if it works.
>
> Cheers,
>
> /Per
>
>
>
> On Fri, Jul 17, 2009 at 05:19, Bob Ippolito<b...@redivi.com> wrote:
>
> > There are various ways it could be rewritten, but without knowing
> > exactly how stupid the IPS is it's hard to say which permutation would
> > pass its test. Someone who can reproduce this issue should spend some
> > time with it and produce a patch.
>
> > On Thu, Jul 16, 2009 at 6:34 PM, Michael<mstras...@gmail.com> wrote:
>
> >> I have found a problem with MochiKit Base.js and the intrusion
> >> protection system at work. The IPS truncates Base.js because it
> >> assigns the unescape() function to a variable (in parseQueryString(),
> >> line 1225 in version 1.4.2 of Base.js). The IPS response is documented
> >> here:
>
> >>http://www.iss.net/security_center/reference/vuln/JavaScript_Unescape...
>
> >> Has anybody else seen this behaviour? Could the code be re-written to
> >> not use that reassignment?
>
> >> (I discovered this because MarkMail does not work, and it uses a
> >> compressed version of MochiKit 1.4.)
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"MochiKit" group.
To post to this group, send email to mochikit@googlegroups.com
To unsubscribe from this group, send email to 
mochikit+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/mochikit?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to