Loading ...
Sorry, an error occurred while loading the content.
Advanced Search
Author
Subject
Message
Special notice only

46 results from messages in caplet

Advanced Search
  • 2010/5/26 adam.kumpf > > > > > > > > > Caja is a great idea, but it has some large fundamental limitations. As I > > > see it, since the code is transformed irreversibly it is significantly > > > harder to debug, maintain, and verify at runtime. ADsafe seems so > > > straight-forward and elegant in its simplicity; am I missing something > > > bigger here? > > > > > > > ADsafe is a...
    Mike Samuel May 26, 2010
  • 2010/5/24 adam.kumpf < adam.kumpf@^$1 > --- In caplet@^$2 , Mike Samuel wrote: > > 2010/5/24 adam.kumpf > > > > > > > I've been interested in ADsafe for a few months now as a potential way to > > allow 3rd parts apps to work within a safe sandbox. > > > > However, since ADsafe fundamentally began as a sandbox for safe > > advertisement (which nicely extends to apps), are there...
    Mike Samuel May 26, 2010
  • 2010/5/24 adam.kumpf < adam.kumpf@^$1 > I've been interested in ADsafe for a few months now as a potential way to allow 3rd parts apps to work within a safe sandbox. However, since ADsafe fundamentally began as a sandbox for safe advertisement (which nicely extends to apps), are there specific things that you would handle differently if the focus was full-scale web applications...
    Mike Samuel May 24, 2010
  • Fetching Sponsored Content...
  • We should add tests though to make sure we stay invulnerable to that. 2009/7/29 Mike Stay < metaweta@^$1 > No; arguments is rewritten in cajita to a___ and in valija to Array.slice(arguments,1). On Wed, Jul 29, 2009 at 5:46 PM, David-Sarah Hopwood< david-sarah@^$2 > wrote: > > < http://webreflection.blogspot.com/2009/06/javascript-arguments-weridness.html > > [sic] notes the...
    Mike Samuel Jul 31, 2009
  • 2009/2/18 David-Sarah Hopwood : > Mike Samuel wrote: >> 2009/2/17 David-Sarah Hopwood : >>> Mike Samuel wrote: >>>> 2009/2/16 David-Sarah Hopwood >>>>> ValidChar :: one of > [...] >>>>> [\uFF00-\uFFEF] >>>> Why include FFEF? >>> It's unassigned, and there's no particular reason to exclude it. >>> (\uFFF0-\uFFF8 are also unassigned, but that's an area reserved >>> for "special...
    Mike Samuel Feb 18, 2009
  • 2009/2/17 David-Sarah Hopwood : > Mike Samuel wrote: >> 2009/2/16 David-Sarah Hopwood >>> Suppose that S is a Unicode string in which each character matches >>> ValidChar below, not containing the subsequences " ", and >>> not containing ("&" followed by a character not matching AmpFollower). >>> S encodes a syntactically correct ES3 or ES3.1 source text chosen by >>> an attacker...
    Mike Samuel Feb 17, 2009
  • 2009/2/16 David-Sarah Hopwood > > Suppose that S is a Unicode string in which each character matches > ValidChar below, not containing the subsequences " ", and > not containing ("&" followed by a character not matching AmpFollower). > S encodes a syntactically correct ES3 or ES3.1 source text chosen by > an attacker. > > ValidChar :: one of > '\u0009' '\u000A' '\u000D' // TAB, LF...
    Mike Samuel Feb 16, 2009
  • 2009/2/10 David-Sarah Hopwood : > Marcel Laverdet wrote: >> >> From what I remember this started out as a bug in IE and then Firefox >> followed suit for compatibility which left the other browsers with no >> choice. I can't find the original bug but `/[/]/` only started parsing >> in FF1.5, in FF1.0 it would throw a syntax error. >> >> You could throw out any malformed regexp...
    Mike Samuel Feb 10, 2009
  • 2009/2/9 Douglas Crockford > > David-Sarah Hopwood wrote: > > Consider the following JavaScript source: > > > > [ /[/]/ /foo]/ + bar > > > > According to the ES3 spec, this is interpreted as: > > > > [ new RegExp("[") ] / new RegExp("foo]") + bar > > > > According to the ES3.1 draft spec, it is interpreted as: > > > > [ new RegExp("[\/]") / foo ] / +bar > > > > Apparently, Firefox...
    Mike Samuel Feb 9, 2009
  • Is that the javascript equivalent of IE's expression(...) CSS extension? If so, I'm confused. If code is getting access to a raw HTMLElement or style object, then there's any number of other ways to convert a string to code. mike 2008/7/16 Douglas Crockford < douglas@^$1 >: I added setExpression to the banned method list.
    Mike Samuel Jul 16, 2008