Thanks Per for your analysis. I think your suggestion will work. Who will try it? I am not a MochiKit user directly. I'm a MarkMail user who investigated why he can't view articles at work.
At work I am getting an exception made to allow JavaScript from markmail.org. But that doesn't help anyone else wanting to use a site using MochiKit inside a similarly-protected environment. The IDS information I have is that a Proventia device scans JavaScript files. It truncates any that contain a reassignment of the unescape() function to a variable because that is considered a vulnerability. I have tested at work with a minimal JavaScript file and found that Per's suggested modification is not blocked. —Michael On Jul 17, 4:07 pm, Per Cederberg <cederb...@gmail.com> wrote: > Now that I'm awake, it strikes me that this might be the obvious solution: > > function decode(text) { > if (typeof(decodeURIComponent) != "undefined") { > return decodeURIComponent(text); > } else { > return unescape(text); > } > } > > Try to patch it in a repackage the source code and let us know how it > works. It's slightly less efficient code, but we might optimize some > of that away if it works. > > Cheers, > > /Per > > > > On Fri, Jul 17, 2009 at 05:19, Bob Ippolito<b...@redivi.com> wrote: > > > There are various ways it could be rewritten, but without knowing > > exactly how stupid the IPS is it's hard to say which permutation would > > pass its test. Someone who can reproduce this issue should spend some > > time with it and produce a patch. > > > On Thu, Jul 16, 2009 at 6:34 PM, Michael<mstras...@gmail.com> wrote: > > >> I have found a problem with MochiKit Base.js and the intrusion > >> protection system at work. The IPS truncates Base.js because it > >> assigns the unescape() function to a variable (in parseQueryString(), > >> line 1225 in version 1.4.2 of Base.js). The IPS response is documented > >> here: > > >>http://www.iss.net/security_center/reference/vuln/JavaScript_Unescape... > > >> Has anybody else seen this behaviour? Could the code be re-written to > >> not use that reassignment? > > >> (I discovered this because MarkMail does not work, and it uses a > >> compressed version of MochiKit 1.4.) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "MochiKit" group. To post to this group, send email to mochikit@googlegroups.com To unsubscribe from this group, send email to mochikit+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/mochikit?hl=en -~----------~----~----~----~------~----~------~--~---