Ahh right, my memory is off. I forgot that {} is in the wrong scope so doesn't
trigger __defineSetter__ due to syntax error.
On May 17, 2012, at 10:07 AM, Daniel Friesen wrote:
> On Wed, 16 May 2012 19:46:26 -0700, Roan Kattouw <[email protected]>
> wrote:
>
>> On Wed, May 16, 2012 at 7:32 PM, Terry Chay <[email protected]> wrote:
>>> I thought http://www.mediawiki.org/wiki/Manual:Edit_token protects against
>>> this as it is required for an edit: http://www.mediawiki.org/wiki/API:Edit
>>>
>> Not if you can read the data using the Object/Array constructor hacks
>> you described. The potential for data leakage includes token leakage,
>> and once you get the API to leak a token you can create a hidden form
>> on the page that POSTs all the right data (including the token) to the
>> action=edit API and call .submit() on the form.
>>
>> Roan
>
> Actually I don't think the object constructor or getter hacks work.
>
> jQuery('<script />', {src:
> "https://en.wikipedia.org/w/api.php?action=query&prop=info&titles=Main%20Page&format=json"}).appendTo('head');
> api.php:1 Uncaught SyntaxError: Unexpected token :
>
> We don't wrap the JSON in ()'s (it would be invalid JSON). And as a result
> the {} is in a statement scope instead of an expression scope. As a result
> the JavaScript engine tries to parse this as a block of code rather than an
> object. Naturally since "asdf": is not valid code the JavaScript engine
> quickly fatals considering this a SyntaxError before it can evaluate anything.
>
> It only works for array because [] doesn't have the ambiguity that {} has.
>
> --
> ~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://daniel.friesen.name]
>
> _______________________________________________
> Wikitech-l mailing list
> [email protected]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
