Tyler's "Bang Tutorial" <http://waterken.sourceforge.net/bang/> is the right place to start to understand the Javscript library used on the client to talk to...
The Waterken server is itself built in Joe-E and provides distributed capability-based interaction for Joe-E objects via an https/json based crypto capability...
The Waterken server itself can be downloaded from http://sourceforge.net/projects/waterken/ The core of the Javascript library that provides the API for...
JSLint.com contains an ADsafe feature. Its intent is to enforce a safe subset of JavaScript for use in ads and widgets. ADsafe requires no transformations. It...
... Bravo! It would be elegant and possibly easy to annotate each warning with a category where the categories are those listed in the options box below. A...
And Object.eval isn't present on all browsers, so it breaks the rules but I thought I'd mention it: (function () { var x = {}; var y = 'evaluate'.substring(0,...
... If I submit anything starting with: <!-- I get the error: Problem at line NaN character NaN: stack has no properties I suspect that the 'NaN's here are...
David Hopwood
david.hopwood@...
Sep 30, 2007 10:33 pm
48
(function () { var x = function () {}; var y = 'constructor'; var z = (x[y]); var w = z('alert("hi")'); w(); })(); cheers, mike...
Square brackets are clearly problematic, as they allow access to eval. I suggest you deny them entirely and (optionally) allow authors use the ADSAFE API to...
... What is the rule that is being applied to: (function () { var y = 'constructor'; ({}[y])('alert("hi")')(); })(); that provokes an ADsafe restriction, when ...
David Hopwood
david.hopwood@...
Sep 30, 2007 11:33 pm
51
... This is a case where conciseness matters for the acceptability of the restriction, so I suggest something like: SET(foo, bar, GET(foo, bar) + 1); instead. ...
David Hopwood
david.hopwood@...
Sep 30, 2007 11:40 pm
52
Or you allow an idiom that first asserts that the index is safe ('number' === typeof i) && obj[<expr>] Where expression is allowed to be something that...
... Why is the ADSAFE object not first-class ("var a = ADSAFE;" fails)? That doesn't seem to be necessary for security. -- David Hopwood...
David Hopwood
david.hopwood@...
Oct 1, 2007 1:45 am
55
... Better: foo.set(bar, foo.get(bar) + 1); and undo the conflation of objects with arrays and dictionaries, by defining 'get' and 'set' only for the latter. ...
David Hopwood
david.hopwood@...
Oct 1, 2007 1:56 am
56
Special thanks to Mike Samuel. I owe you a late of shrimp. I am now disallowing the use of subscripting. In its place, I will be providing ADSAFE.get(object,...
Not all dangerous dereferences are functions: (function() { var javascript = "javascript"; javascript += ":alert(42)"; ADSAFE.get({}, "__parent__").location =...
I dislike blacklists. See comments on hasOwnProperty below. ... Perhaps exclude.hasOwnProperty(name)? Right now you'll exclude valueOf, though whether that's...
... hasOwnProperty would ... I like the idea of restricting access to the prototype chain. ... I want to control what functions they get access to. Functions...
Douglas Crockford wrote: [...] ... IMHO the rejections should not be silent; they should throw an exception. In any case, I prefer my suggestion to use...
David Hopwood
david.hopwood@...
Oct 4, 2007 1:26 am
67
... Good point. I am now scanning for the presence of any control character. ... JSLint runs in a number of configurations, including Rhino and WSH, which read...
Having problems with message search?
Fill out this form to ensure your group is one of the first to be migrated to the new message search system.
