[whatwg] Script-related feedback

[Ian Hickson]

On Mon, 7 Jan 2013, Adam Barth wrote:
> >
> > Why not just introduce a keyword or pragma to JavaScript that tells 
> > the user agent to act as if the end of the Program production had been 
> > reached, and that it should treat the remainder of the file as another 
> > Program?
> >
> > This could even be done in a backwards-compatible fashion by having 
> > the syntax to do this be something that down-level clients ignore, 
> > e.g.:
> >
> >    /*@BREAK*/
> >
> > ...or some such.
> 
> That approach is an in-band signal, which means it's vulnerable to 
> injection attacks.

If you can inject this, you can inject arbitrary code, so I don't see how 
this would be a problem.


> For example, consider a server that produces a JavaScript file of the 
> following form:
> 
> [...]
> var userData = "<?php echo santize($userData) ?>";
> [...]
> 
> Currently, the rules for sanitizing using input are relatively 
> straightforward (essentially, you just need to worry about a few special 
> characters).

Those simple rules would prevent anyone from inserting a pragma-like 
comment, too, so that's fine.


> However, if we implemented an in-band signaling we might well break 
> these sanitation algorithms.

How? I'm not suggesting changing any JS syntax, just making existing JS 
syntax be used as a signal.

If making a comment do this is too dodgy, make it something like this:

   breakParsing();

...and for down-level support, define an explicit breakParsing function 
that does nothing. If someone can insert a function call into JS, you've 
definitely lost already.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'