- From: Ian Hickson <ian@hixie.ch>
- Date: Tue, 8 Jan 2013 03:51:25 +0000 (UTC)
- To: Adam Barth <w3c@adambarth.com>
- Cc: whatwg@whatwg.org
On Mon, 7 Jan 2013, Adam Barth wrote: > > > > Why not just introduce a keyword or pragma to JavaScript that tells > > the user agent to act as if the end of the Program production had been > > reached, and that it should treat the remainder of the file as another > > Program? > > > > This could even be done in a backwards-compatible fashion by having > > the syntax to do this be something that down-level clients ignore, > > e.g.: > > > > /*@BREAK*/ > > > > ...or some such. > > That approach is an in-band signal, which means it's vulnerable to > injection attacks. If you can inject this, you can inject arbitrary code, so I don't see how this would be a problem. > For example, consider a server that produces a JavaScript file of the > following form: > > [...] > var userData = "<?php echo santize($userData) ?>"; > [...] > > Currently, the rules for sanitizing using input are relatively > straightforward (essentially, you just need to worry about a few special > characters). Those simple rules would prevent anyone from inserting a pragma-like comment, too, so that's fine. > However, if we implemented an in-band signaling we might well break > these sanitation algorithms. How? I'm not suggesting changing any JS syntax, just making existing JS syntax be used as a signal. If making a comment do this is too dodgy, make it something like this: breakParsing(); ...and for down-level support, define an explicit breakParsing function that does nothing. If someone can insert a function call into JS, you've definitely lost already. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 8 January 2013 03:51:50 UTC