Loading ...
Sorry, an error occurred while loading the content.

232Re: [Caja] eval() in FF3 - just in case...

Expand Messages
  • Mark S. Miller
    Jun 27, 2008
      On Fri, Jun 27, 2008 at 1:44 AM, Mario Heiderich
      <Mario.Heiderich@...> wrote:
      > http://peter.michaux.ca/article/8069
      > Just in case this is not known/intercepted yet.

      Wow. No, we had no idea. I admit that I am shocked that the one tight
      encapsulation mechanism in JavaScript itself -- lexical closures --
      has now been ruined. Fortunately, all safe JavaScript subsets (Caja,
      Cajita, ADsafe, FBJS, Jacaranda) already prevent access to the eval
      function, as they must. So we should all be safe from this particular
      new hole. However, so long as browser vendors feel free to quietly
      introduce holes this large in existing functions...

    • Show all 3 messages in this topic