W3C home > Mailing lists > Public > public-web-security@w3.org > September 2010

Re: String replace JavaScript bad design

From: gaz Heyes <gazheyes@gmail.com>
Date: Mon, 27 Sep 2010 15:40:47 +0100
Message-ID: <AANLkTik6aXgZ_q=itrhFewo=oQ9deaqBX8GmVTOj1Tsd@mail.gmail.com>
To: "Steingruebl, Andy" <asteingruebl@paypal-inc.com>
Cc: "public-web-security@w3.org" <public-web-security@w3.org>
On 27 September 2010 15:34, Steingruebl, Andy
<asteingruebl@paypal-inc.com>wrote:

> > From: public-web-security-request@w3.org [mailto:
> public-web-security-request@w3.org] On Behalf Of gaz Heyes
>
> > I consider the function to be badly designed (although an excellent
> function overall). I've provided a JavaScript patch until (if ever)
> > browsers change it's behaviour. I also consider Mozilla's third argument
> a really bad idea as this unsupported
> > by the other browsers at this time and adding flags just seems pretty
> messy and adds to the confusion.
>
> Let's say for a second that browsers decided to change the default
> behavior.
>
> 1. Any idea how many sites/things that would break?
> 2. Any idea whether it would cause more security problems than it fixes?
> 3. Any ways to make that change and still be backwards compat, etc?   Maybe
> look for certain behavior, page creation time, etc?
>
> I' not saying you're wrong that developers are using the current version
> incorrectly, I'm just not sure how we get to the right state without
> breaking things along the way.  Any suggestions?
>

In my blog post I provide some code to change existing behaviour, a feature
test could be added to replace the default behaviour for older browsers like
so:-

if('aa'.replace('a','')) {

String.prototype.replace = (function(r){
 return function(find, replace, replaceOnce) {
     if(typeof find == 'string' && !replaceOnce) {
       find = r.apply(find, [/[\[\]^$*+.?(){}\\\-]/g,function(c) {
return '\\'+c; }]);
       find = new RegExp(find, 'g');
     } else if(typeof find == 'object' && !replaceOnce && !find.global) {
       find = new RegExp(find.source, 'g');
     }
     return r.apply(this, [find,replace]);
 }
})(String.prototype.replace);
alert('aaaabbbbb'.replace(/a/,''))

}
Received on Monday, 27 September 2010 14:41:19 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:03 GMT