- From: Frederik Braun <fbraun@mozilla.com>
- Date: Sat, 05 Oct 2013 10:07:52 +0200
- To: public-webappsec@w3.org
Hi list, The specification is very clear about what 'unsafe-eval' means: It is a blacklist containing eval, Function, setTimeout and setInterval. I am not proposing anything here, but there are other code patterns which may pose similar risks: With ECMAScript 6, the spread operator allows to call functions with an iterable (e.g., array) that contains the arguments without having to split them apart depending on the functions definition (and there is already Function.prototype.apply, which helps doing something similar). Accessing an object's properties from a string is also possible, e.g. window[someString]. I'm rather hopefull that nobody will ever do practice code patterns like this, but isn't a combination of these examples already very close to eval? window[funcName](..argsArray); Frederik
Received on Saturday, 5 October 2013 08:11:07 UTC