- From: gaz Heyes <gazheyes@gmail.com>
- Date: Tue, 29 Mar 2011 09:39:14 +0100
- To: Adam Barth <w3c@adambarth.com>
- Cc: "sird@rckc.at" <sird@rckc.at>, public-web-security@w3.org
Received on Tuesday, 29 March 2011 08:39:46 UTC
On 29 March 2011 01:05, Adam Barth <w3c@adambarth.com> wrote: > >> [[ > >> User-agents must prevent strings from being converted to ECMAScript > >> code, including calls to: > >> > >> eval() > >> new Function() constructor > >> setTimeout() called with a String argument > >> setInterval() called with a String argument > >> ]] > >> > >> Suppose the page does call setTimeout with a string. How should the > >> user agent handle the error? > I think String is a loose definition, for example what if we call setTimeout with an array or object? setTimeout(["alert(1)"]) IMO the spec should say any argument that isn't a function when related to setTimeout/setInterval
Received on Tuesday, 29 March 2011 08:39:46 UTC