Loading ...
Sorry, an error occurred while loading the content.

Re: [caplet] ADsafe, Take 4

Expand Messages
  • Mike Samuel
    catch is problematic. Below is my writeup of scoping re catch. If my recollections of the behavior of old versions of Firefox/Mozilla are correct, then catch
    Message 1 of 3 , Oct 4, 2007
    • 0 Attachment
      catch is problematic.

      Below is my writeup of scoping re catch.

      If my recollections of the behavior of old versions of Firefox/Mozilla are correct, then catch can be used to inject into the global namespace, to, for example, replace encodeURIComponent/encodeURI with a function that when called by the embedding page, would substitute malicious cgi parameters into a URL possibly tricking the embedding page into issuing a completely different request than the one it intended.



      EcmaScript 262 says that only the Program and FunctionDeclaration
      constructor introduce new lexical scopes. EcmaScript 262 section 10.1.4 says
      During execution within an execution context, the scope chain of the
      execution context is affected only by with statements (see 12.10) and
      catch clauses (see 12.14).

      Section 12.10 describes with statements:
      The with statement adds a computed object to the front of the scope
      chain of the current execution context, then executes a statement with
      this augmented scope chain, then restores the scope chain.

      Section 12.14 describes catch clauses
      The production Catch : catch (Identifier ) Block is evaluated as
      follows:
      1. Let C be the parameter that has been passed to this production.
      2. Create a new object as if by the expression new Object().
      3. Create a property in the object Result(2). The property's name is
      Identifier, value is C.value, and attributes are { DontDelete }.
      4. Add Result(2) to the front of the scope chain.
      5. Evaluate Block.
      6. Remove Result(2) from the front of the scope chain.
      7. Return Result(5).

      Existing interpreters fail to implement the semantics of 12.14. Old
      versions of firefox/mozilla (?) allow global assignment this way.

      IE introduces it as a variable in the local scope, instead of creating a
      new scope.
      var a = 0;
      (function () {
      try {
      throw 1;
      } catch (a) {
      }
      })();
      alert(a); // alerts 1 on old FF

      (function () {
      var a = 0;
      try {
      throw 1;
      } catch (a) {
      }
      alert(a); // alerts 1 on IE 6
      })();




      On 04/10/2007, Douglas Crockford <douglas@...> wrote:

      I have put more limitations on what is tolerated in HTML. I suspect
      there are more gremlins out there.

      I am worried about catch(name) clauses. The way that name is scoped is
      unexpected. I think there may be more problems there.

      Big thanks to everyone who has been looking at this.


    • Douglas Crockford
      ... Does any browser include object references or functions in its exception objects?
      Message 2 of 3 , Oct 9, 2007
      • 0 Attachment
        --- In caplet@yahoogroups.com, "Mike Samuel" <mikesamuel@...> wrote:
        >
        > catch is problematic.

        Does any browser include object references or functions in its
        exception objects?
      Your message has been successfully submitted and would be delivered to recipients shortly.