I recall there being a number of "the sky is falling" type things in the
past relating to XSS and JavaScript. One in particular that seemed to get a
lot of press argued that XMLHttpRequest was insecure because it could be
overloaded. Like John said, at the point of allowing your core javascript
functions to be overloaded, avoiding a few particular functions probably
isn't the right solution.
--Erik
On 3/23/07, Luke Lutman <[EMAIL PROTECTED]> wrote:
I got an email today that one of my plugins might be a cross-site
scripting/security risk because the plugin uses the Function.call()
method, like so:
$.fn.plugin = function(elem, options, callback) {
callback.call(elem, options);
};
Has anyone heard of or dealt with this problem? If it is a security
risk, wouldn't Function.apply also be an issue?
Thanks,
Luke
_______________________________________________
jQuery mailing list
[email protected]
http://jquery.com/discuss/
_______________________________________________
jQuery mailing list
[email protected]
http://jquery.com/discuss/
