Re: [Caja] eval() in FF3 - just in case...
- View SourceOn Fri, Jun 27, 2008 at 1:44 AM, Mario Heiderich
>Wow. No, we had no idea. I admit that I am shocked that the one tight
> Just in case this is not known/intercepted yet.
Cajita, ADsafe, FBJS, Jacaranda) already prevent access to the eval
function, as they must. So we should all be safe from this particular
new hole. However, so long as browser vendors feel free to quietly
introduce holes this large in existing functions...
- View Source--- In firstname.lastname@example.org, "Mark S. Miller" <erights@...> wrote:
>I reply-all'ed since Mark cc'ed me, but I was not a member of the
> On Fri, Jun 27, 2008 at 1:44 AM, Mario Heiderich
> <Mario.Heiderich@...> wrote:
> > http://peter.michaux.ca/article/8069
> > Just in case this is not known/intercepted yet.
> Wow. No, we had no idea.
email@example.com list so the message bounced off that address.
Here's the caja-discuss link:
- View SourceOn Fri, Jun 27, 2008 at 12:39 PM, Brendan Eich <brendan@...> wrote:
> There's no "now" -- this old eval extension was added over ten years ago:Hi Brendan, I was completely unaware of this history and did indeed
think that this was a newly opened hole. I'm very pleased to find that
it isn't. I'm especially pleased to hear that you folks plan to remove
this in a future release. Thanks for the clarification!