Loading ...
Sorry, an error occurred while loading the content.

Re: [caplet] Re: ADsafe and the Standard Globals

Expand Messages
  • Mike Samuel
    ... I have no stronger argument than, in code I review, it is much more frequently misused than used properly. If the goal is to allow all innocuous ES
    Message 1 of 15 , Apr 15 5:02 PM
    • 0 Attachment
      On 15/04/2008, Douglas Crockford <douglas@...> wrote:
      >
      >
      >
      >
      >
      >
      > --- In caplet@yahoogroups.com, "Mike Samuel" <mikesamuel@...> wrote:
      > > > I am relaxing ADsafe to allow access to these standard globals:
      > > >
      > > > Array Boolean Date decodeURI decodeURIComponent encodeURI
      > > > encodeURIComponent Error escape EvalError isFinite isNaN
      > > > Math Number Object parseInt parseFloat RangeError
      > > > ReferenceError RegExp String SyntaxError TypeError unescape
      > > > URIError
      > >
      > > Is it really worth including {,un}escape in light of
      > > http://msdn2.microsoft.com/en-us/library/9yzah1fh(VS.85).aspx ?
      > > Is it a goal to support older versions of JS that don't have
      > > {de,en}codeURIComponent?
      >
      > It is in the standard and it does not represent a leak. escape is not
      > recommended for encoding URLs, but can be used for encoding values in
      > cookies. Unless there is a stronger argument, I think it should be
      > allowed.

      I have no stronger argument than, in code I review, it is much more
      frequently misused than used properly.

      If the goal is to allow all innocuous ES built-ins, then it should be allowed.



      > > Is RegExp.$1 is not allowed? If so, it may leak information from the
      > > last match performed by privileged code.
      >
      > RegExp.$1 is not allowed because $1 is not the name of one of the
      > Math/Number constants.
      >
      > RegExp['$1'] is not allowed because '$1' does not look like a
      > stringified number.
      >
      > ADsafe.get(RegExp, '$1') is not allowed because RegExp is a function.

      Cool.
    • Mark S. Miller
      On Tue, Apr 15, 2008 at 4:42 PM, Douglas Crockford ... I just looked. They are not in the normative part of the ES3 spec. They appear only in Annex B. (B.2.1 &
      Message 2 of 15 , Apr 15 5:12 PM
      • 0 Attachment
        On Tue, Apr 15, 2008 at 4:42 PM, Douglas Crockford
        <douglas@...> wrote:
        > > Is it really worth including {,un}escape in light of
        > > http://msdn2.microsoft.com/en-us/library/9yzah1fh(VS.85).aspx ?
        > > Is it a goal to support older versions of JS that don't have
        > > {de,en}codeURIComponent?
        >
        > It is in the standard [...]

        I just looked. They are not in the normative part of the ES3 spec.
        They appear only in Annex B. (B.2.1 & B.2.2)

        They have never appeared in the Caja whitelist, and probably never
        will. So they are not in any of the normative supersets of ADsafe.

        --
        Cheers,
        --MarkM
      • Douglas Crockford
        ... And they are no longer in ADsafe. JSLint will flag them in all cases.
        Message 3 of 15 , Apr 15 7:00 PM
        • 0 Attachment
          --- In caplet@yahoogroups.com, "Mark S. Miller" <erights@...> wrote:
          > I just looked. They are not in the normative part of the ES3 spec.
          > They appear only in Annex B. (B.2.1 & B.2.2)
          >
          > They have never appeared in the Caja whitelist, and probably never
          > will. So they are not in any of the normative supersets of ADsafe.

          And they are no longer in ADsafe. JSLint will flag them in all cases.
        Your message has been successfully submitted and would be delivered to recipients shortly.