Loading ...
Sorry, an error occurred while loading the content.

142Re: [caplet] Fwd: [Caja] secure string interpolation in javascript

Expand Messages
  • Mike Samuel
    Jan 30, 2008
    • 0 Attachment
      On 30/01/2008, Monty Zukowski <monty@...> wrote:
      >
      > On Jan 29, 2008 9:12 PM, Mark Miller <erights@...> wrote:
      > > Like quasiliterals for JavaScript, but better.
      >
      > Very nice. I like the context scanning mechanism. I'll be curious to
      > see what the fsm.txt looks like for SQL. It wasn't clear to me how
      > the interpolator comes up with (1,2,3,4) for a list for the IN clause.
      > Given the nature of the scanner, I'm guessing that it is based on the
      > type of the argument passed in. You don't have enough context to know
      > it's in the IN clause, I assume. So, anywhere a list

      Escapers can use the runtime type of the substitution values. If the
      SQL escaper sees an array, then it iterates over elements, and if it
      sees a Date, it renders it in a form that SQL will recognize, and it
      can output a SQL NULL for the javascript counterpart.

      I have a first stab at a SQL that does have enough context based on
      last keyword and whether you've seen an open parenthesis since the IN.
      I may have to abandon deferred parentheses though, since there's no
      way to deal with WHERE FOO IN (1, 2, (SELECT COUNT(*) FROM BAR), $baz)
      with a constant amount of state.



      > is redered
      > un-escaped, it will be in (1,2,3,4) form, right? If I have a list of
      > literals to chain together with OR x LIKE $y[1] OR x LIKE $y[2] ... I
      > need to do that in code, right?
      >
      > I know you explicitly described looping as a non-goal, but your
      > imaginary sql interpolator (I didn't see code for it) handles a list
      > where I would have expected to need to code that explicitly. Was your
      > intention only to show different contexts, or do you actually have in
      > mind a strategy for dealing with lists?


      For lists, and other collections, I can see a number of strategies:
      For e.g.
      var attribs = { 'id': 'foo', 'class': 'bar' };
      open(Template("<b ${attribs}>"))
      might yield
      '<b id="foo" class="bar">'

      This is strictly a template in code approach, so you can use the
      containing languages looping constructs. StringInterpolation objects
      nest, so

      var rows = [];
      for (var i = 0; i < names.length; ++i) {
      rows.push(open(Template("<tr><td>${names[i]}</td></tr>")));
      }
      var table = open(Template("<table>$rows</table>"));

      And the security guarantee:
      Literal portions will be tokenized the same way regardless of
      substitution values.
      assumes that nested StringInterpolations have been flattened to a
      single list of alternating literals & substitutions.


      >
      > Monty
      >
      > .
      >
    • Show all 6 messages in this topic