- From: Adam Barth <w3c@adambarth.com>
- Date: Tue, 29 Mar 2011 18:19:25 -0700
- To: Boris Zbarsky <bzbarsky@mit.edu>
- Cc: Brandon Sterne <bsterne@mozilla.com>, gaz Heyes <gazheyes@gmail.com>, "sird@rckc.at" <sird@rckc.at>, public-web-security@w3.org
On Tue, Mar 29, 2011 at 5:58 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
> On 3/29/11 5:45 PM, Brandon Sterne wrote:
>> On 03/29/2011 01:39 AM, gaz Heyes wrote:
>>> I think String is a loose definition, for example what if we call
>>> setTimeout with an array or object?
>>> setTimeout(["alert(1)"])
>>
>> Good lord, why does that work? :-)
>
> Because Array.prototype.toString in ES5 is defined in such a way that it's
> equivalent to calling .join() (with no arguments) on the array in question,
> as long as no one has done anything weird.
>
> You could also get this effect with things like:
>
> setTimeout({ toString: function() { return "alert(1)"; } });
>
>> s/called with a String argument/called with any argument other than a
>> Function object/g
>
> What about function proxies?
>
> What about non-Function callables?
WebKit seems to distinguish between callable and non-callable.
Non-callables get coerced to strings, which then get compiled as
script source code, which is what we'd like to avoid.
Adam
Received on Wednesday, 30 March 2011 01:20:30 UTC