[whatwg] Script-related feedback
Ian Hickson
ian at hixie.ch
Mon Jan 7 19:51:25 PST 2013
On Mon, 7 Jan 2013, Adam Barth wrote:
> >
> > Why not just introduce a keyword or pragma to JavaScript that tells
> > the user agent to act as if the end of the Program production had been
> > reached, and that it should treat the remainder of the file as another
> > Program?
> >
> > This could even be done in a backwards-compatible fashion by having
> > the syntax to do this be something that down-level clients ignore,
> > e.g.:
> >
> > /*@BREAK*/
> >
> > ...or some such.
>
> That approach is an in-band signal, which means it's vulnerable to
> injection attacks.
If you can inject this, you can inject arbitrary code, so I don't see how
this would be a problem.
> For example, consider a server that produces a JavaScript file of the
> following form:
>
> [...]
> var userData = "<?php echo santize($userData) ?>";
> [...]
>
> Currently, the rules for sanitizing using input are relatively
> straightforward (essentially, you just need to worry about a few special
> characters).
Those simple rules would prevent anyone from inserting a pragma-like
comment, too, so that's fine.
> However, if we implemented an in-band signaling we might well break
> these sanitation algorithms.
How? I'm not suggesting changing any JS syntax, just making existing JS
syntax be used as a signal.
If making a comment do this is too dodgy, make it something like this:
breakParsing();
...and for down-level support, define an explicit breakParsing function
that does nothing. If someone can insert a function call into JS, you've
definitely lost already.
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list