Loading ...
Sorry, an error occurred while loading the content.

199Re: ADsafe and the Standard Globals

Expand Messages
  • Douglas Crockford
    Apr 15, 2008
    • 0 Attachment
      --- In caplet@yahoogroups.com, "Mike Samuel" <mikesamuel@...> wrote:
      > > I am relaxing ADsafe to allow access to these standard globals:
      > >
      > > Array Boolean Date decodeURI decodeURIComponent encodeURI
      > > encodeURIComponent Error escape EvalError isFinite isNaN
      > > Math Number Object parseInt parseFloat RangeError
      > > ReferenceError RegExp String SyntaxError TypeError unescape
      > > URIError
      >
      > Is it really worth including {,un}escape in light of
      > http://msdn2.microsoft.com/en-us/library/9yzah1fh(VS.85).aspx ?
      > Is it a goal to support older versions of JS that don't have
      > {de,en}codeURIComponent?

      It is in the standard and it does not represent a leak. escape is not
      recommended for encoding URLs, but can be used for encoding values in
      cookies. Unless there is a stronger argument, I think it should be
      allowed.

      > Is RegExp.$1 is not allowed? If so, it may leak information from the
      > last match performed by privileged code.

      RegExp.$1 is not allowed because $1 is not the name of one of the
      Math/Number constants.

      RegExp['$1'] is not allowed because '$1' does not look like a
      stringified number.

      ADsafe.get(RegExp, '$1') is not allowed because RegExp is a function.
    • Show all 15 messages in this topic