Loading ...
Sorry, an error occurred while loading the content.

ADsafe, Take 4

Expand Messages
  • Douglas Crockford
    I have put more limitations on what is tolerated in HTML. I suspect there are more gremlins out there. I am worried about catch(name) clauses. The way that
    Message 1 of 3 , Oct 4, 2007
    • 0 Attachment
      I have put more limitations on what is tolerated in HTML. I suspect
      there are more gremlins out there.

      I am worried about catch(name) clauses. The way that name is scoped is
      unexpected. I think there may be more problems there.

      Big thanks to everyone who has been looking at this.
    • Mike Samuel
      catch is problematic. Below is my writeup of scoping re catch. If my recollections of the behavior of old versions of Firefox/Mozilla are correct, then catch
      Message 2 of 3 , Oct 4, 2007
      • 0 Attachment
        catch is problematic.

        Below is my writeup of scoping re catch.

        If my recollections of the behavior of old versions of Firefox/Mozilla are correct, then catch can be used to inject into the global namespace, to, for example, replace encodeURIComponent/encodeURI with a function that when called by the embedding page, would substitute malicious cgi parameters into a URL possibly tricking the embedding page into issuing a completely different request than the one it intended.



        EcmaScript 262 says that only the Program and FunctionDeclaration
        constructor introduce new lexical scopes. EcmaScript 262 section 10.1.4 says
        During execution within an execution context, the scope chain of the
        execution context is affected only by with statements (see 12.10) and
        catch clauses (see 12.14).

        Section 12.10 describes with statements:
        The with statement adds a computed object to the front of the scope
        chain of the current execution context, then executes a statement with
        this augmented scope chain, then restores the scope chain.

        Section 12.14 describes catch clauses
        The production Catch : catch (Identifier ) Block is evaluated as
        follows:
        1. Let C be the parameter that has been passed to this production.
        2. Create a new object as if by the expression new Object().
        3. Create a property in the object Result(2). The property's name is
        Identifier, value is C.value, and attributes are { DontDelete }.
        4. Add Result(2) to the front of the scope chain.
        5. Evaluate Block.
        6. Remove Result(2) from the front of the scope chain.
        7. Return Result(5).

        Existing interpreters fail to implement the semantics of 12.14. Old
        versions of firefox/mozilla (?) allow global assignment this way.

        IE introduces it as a variable in the local scope, instead of creating a
        new scope.
        var a = 0;
        (function () {
        try {
        throw 1;
        } catch (a) {
        }
        })();
        alert(a); // alerts 1 on old FF

        (function () {
        var a = 0;
        try {
        throw 1;
        } catch (a) {
        }
        alert(a); // alerts 1 on IE 6
        })();




        On 04/10/2007, Douglas Crockford <douglas@...> wrote:

        I have put more limitations on what is tolerated in HTML. I suspect
        there are more gremlins out there.

        I am worried about catch(name) clauses. The way that name is scoped is
        unexpected. I think there may be more problems there.

        Big thanks to everyone who has been looking at this.


      • Douglas Crockford
        ... Does any browser include object references or functions in its exception objects?
        Message 3 of 3 , Oct 9, 2007
        • 0 Attachment
          --- In caplet@yahoogroups.com, "Mike Samuel" <mikesamuel@...> wrote:
          >
          > catch is problematic.

          Does any browser include object references or functions in its
          exception objects?
        Your message has been successfully submitted and would be delivered to recipients shortly.