W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2013

Scripts from Strings: Where is the line?

From: Frederik Braun <fbraun@mozilla.com>
Date: Sat, 05 Oct 2013 10:07:52 +0200
Message-ID: <524FC8D8.7050404@mozilla.com>
To: public-webappsec@w3.org
Hi list,

The specification is very clear about what 'unsafe-eval' means: It is a
blacklist containing eval, Function, setTimeout and setInterval.

I am not proposing anything here, but there are other code patterns
which may pose similar risks: With ECMAScript 6, the spread operator
allows to call functions with an iterable (e.g., array) that contains
the arguments without having to split them apart depending on the
functions definition (and there is already Function.prototype.apply,
which helps doing something similar). Accessing an object's properties
from a string is also possible, e.g. window[someString].

I'm rather hopefull that nobody will ever do practice code patterns like
this, but isn't a combination of these examples already very close to eval?

window[funcName](..argsArray);



Frederik
Received on Saturday, 5 October 2013 08:11:07 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:03 UTC