W3C home > Mailing lists > Public > whatwg@whatwg.org > January 2013

Re: [whatwg] Script-related feedback

From: Ian Hickson <ian@hixie.ch>
Date: Tue, 8 Jan 2013 03:51:25 +0000 (UTC)
To: Adam Barth <w3c@adambarth.com>
Message-ID: <Pine.LNX.4.64.1301080348180.12992@ps20323.dreamhostps.com>
Cc: whatwg@whatwg.org
On Mon, 7 Jan 2013, Adam Barth wrote:
> >
> > Why not just introduce a keyword or pragma to JavaScript that tells 
> > the user agent to act as if the end of the Program production had been 
> > reached, and that it should treat the remainder of the file as another 
> > Program?
> >
> > This could even be done in a backwards-compatible fashion by having 
> > the syntax to do this be something that down-level clients ignore, 
> > e.g.:
> >
> >    /*@BREAK*/
> >
> > ...or some such.
> 
> That approach is an in-band signal, which means it's vulnerable to 
> injection attacks.

If you can inject this, you can inject arbitrary code, so I don't see how 
this would be a problem.


> For example, consider a server that produces a JavaScript file of the 
> following form:
> 
> [...]
> var userData = "<?php echo santize($userData) ?>";
> [...]
> 
> Currently, the rules for sanitizing using input are relatively 
> straightforward (essentially, you just need to worry about a few special 
> characters).

Those simple rules would prevent anyone from inserting a pragma-like 
comment, too, so that's fine.


> However, if we implemented an in-band signaling we might well break 
> these sanitation algorithms.

How? I'm not suggesting changing any JS syntax, just making existing JS 
syntax be used as a signal.

If making a comment do this is too dodgy, make it something like this:

   breakParsing();

...and for down-level support, define an explicit breakParsing function 
that does nothing. If someone can insert a function call into JS, you've 
definitely lost already.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 8 January 2013 03:51:50 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:12 GMT