Loading ...
Sorry, an error occurred while loading the content.

ADsafe, Take 2

Expand Messages
  • Douglas Crockford
    Special thanks to Mike Samuel. I owe you a late of shrimp. I am now disallowing the use of subscripting. In its place, I will be providing ADSAFE.get(object,
    Message 1 of 3 , Oct 1, 2007
    • 0 Attachment
      Special thanks to Mike Samuel. I owe you a late of shrimp.

      I am now disallowing the use of subscripting. In its place, I will be
      providing ADSAFE.get(object, name) and ADSAFE.set(object, name, value)
      that will do checking.

      You can assume the presence of those methods. They will reject
      requests where the typeof object or value or the returned value are
      'function'.

      If you can get past ADsafe to alert on any one browser, then ADsafe is
      broken.

      Thanks all.
    • collin_jackson
      Not all dangerous dereferences are functions: (function() { var javascript = javascript ; javascript += :alert(42) ; ADSAFE.get({}, __parent__ ).location =
      Message 2 of 3 , Oct 1, 2007
      • 0 Attachment
        Not all dangerous dereferences are functions:

        (function() {
        var javascript = "javascript"; javascript += ":alert(42)";
        ADSAFE.get({}, "__parent__").location = javascript;
        })();

        --- In caplet@yahoogroups.com, "Douglas Crockford" <douglas@...> wrote:
        > I am now disallowing the use of subscripting. In its place, I will be
        > providing ADSAFE.get(object, name) and ADSAFE.set(object, name,
        value)
        > that will do checking.
        >
        > You can assume the presence of those methods. They will reject
        > requests where the typeof object or value or the returned value are
        > 'function'.
        >
        > If you can get past ADsafe to alert on any one browser, then ADsafe
        is
        > broken.
      • Douglas Crockford
        ... Quite right. I should have mentioned that get and put will also block the same members that ADsafe blocks, including names starting with _.
        Message 3 of 3 , Oct 1, 2007
        • 0 Attachment
          --- In caplet@yahoogroups.com, "collin_jackson" <collinj@...> wrote:
          >
          > Not all dangerous dereferences are functions:
          >
          > (function() {
          > var javascript = "javascript"; javascript += ":alert(42)";
          > ADSAFE.get({}, "__parent__").location = javascript;
          > })();

          Quite right. I should have mentioned that get and put will also block
          the same members that ADsafe blocks, including names starting with _.
        Your message has been successfully submitted and would be delivered to recipients shortly.