- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Tue, 29 Mar 2011 20:58:08 -0400
- To: Brandon Sterne <bsterne@mozilla.com>
- CC: gaz Heyes <gazheyes@gmail.com>, Adam Barth <w3c@adambarth.com>, "sird@rckc.at" <sird@rckc.at>, public-web-security@w3.org
On 3/29/11 5:45 PM, Brandon Sterne wrote:
> On 03/29/2011 01:39 AM, gaz Heyes wrote:
>> I think String is a loose definition, for example what if we call
>> setTimeout with an array or object?
>> setTimeout(["alert(1)"])
>
> Good lord, why does that work? :-)
Because Array.prototype.toString in ES5 is defined in such a way that
it's equivalent to calling .join() (with no arguments) on the array in
question, as long as no one has done anything weird.
You could also get this effect with things like:
setTimeout({ toString: function() { return "alert(1)"; } });
> s/called with a String argument/called with any argument other than a
> Function object/g
What about function proxies?
What about non-Function callables?
-Boris
Received on Wednesday, 30 March 2011 00:58:45 UTC