Loading ...
Sorry, an error occurred while loading the content.

75Re: [caplet] Re: ADsafe, Take 3

Expand Messages
  • Mike Samuel
    Oct 4, 2007
    • 0 Attachment
      No because ]]> can end a CDATA section introduced by the embedding XHTML page which would then allow the embedding script to play tricks with entities that aren't recognized by your lexer.  Consider  /* */ .constructor /**/ where 42 === ord('*')

      Given that XHTML allows arbitrary entity definitions in DOCTYPE elements, you can't modify your lexer to recognize all entities, so if you want to restrict ADsafe JS to embeddable JS, the only thing you can do is disallow anything that looks like an entity in a pre-lexer pass.

      There's a few ways to do this:
      - require that the <, >, >=, >>, <<, %, &, and && operators and their self-assignment versions be separated by whitespace from other tokens
      - require that characters in [<>&%] in string literals and regular expressions be hex/octal/unicode escaped

      But even if you do that, if you advertise the output as "safe for embedding in script" tags, someone will go and put it in an onclick handler, and you can't produce javascript that contains string literals that is safe regardless of which quotes are used for html attribute values.

      And finally, embedding opens you up to all kinds of charset attacks.  IE guesses character encoding for HTML pages regardless of whether they are served with a Content-type header, but not for javascript files that have a content-type header.  You could approve javascript for embedding only to find that it causes the page to be interpreted in a completely different character set.  I can't think of any way to exploit it off the top of my head, but it would make me leery of embedding third-party javascript directly in my pages.


      On 04/10/2007, Douglas Crockford <douglas@...> wrote:

      --- In caplet@yahoogroups.com, "Mike Samuel" <mikesamuel@...> wrote:
      > If you do want to allow ADsafe JS to be embedded in a script tag,
      you need
      > to deal with ]]> as well, since the following could be used to throw

      Is it sufficient to disallow <![ ?



    • Show all 17 messages in this topic