On Mon, 7 Jan 2013, Adam Barth wrote: > > > > Why not just introduce a keyword or pragma to JavaScript that tells > > the user agent to act as if the end of the Program production had been > > reached, and that it should treat the remainder of the file as another > > Program? > > > > This could even be done in a backwards-compatible fashion by having > > the syntax to do this be something that down-level clients ignore, > > e.g.: > > > > /*@BREAK*/ > > > > ...or some such. > > That approach is an in-band signal, which means it's vulnerable to > injection attacks.
If you can inject this, you can inject arbitrary code, so I don't see how this would be a problem. > For example, consider a server that produces a JavaScript file of the > following form: > > [...] > var userData = "<?php echo santize($userData) ?>"; > [...] > > Currently, the rules for sanitizing using input are relatively > straightforward (essentially, you just need to worry about a few special > characters). Those simple rules would prevent anyone from inserting a pragma-like comment, too, so that's fine. > However, if we implemented an in-band signaling we might well break > these sanitation algorithms. How? I'm not suggesting changing any JS syntax, just making existing JS syntax be used as a signal. If making a comment do this is too dodgy, make it something like this: breakParsing(); ...and for down-level support, define an explicit breakParsing function that does nothing. If someone can insert a function call into JS, you've definitely lost already. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
