On 2011-07-19 4:48 PM, LWChris@LyricWiki wrote:
a workaround from the coding tips. But the script provided there is
> said to be unsafe, too in the discussion
Can you be more specific? Do you mean [1]? That seems to be an information disclosure problem, acceptable in some situations. If you can come up with a different version that works and doesn't have that specific problem, please do.
But I honestly wonder if there's any possibility to hijack the GM sandbox if I only do "var lang = unsafeWindow.lang.toString();". I don't see any way how that variable value could hijack the sandbox even if it was referring a function and not the expected string...
Right now, as far as we know, there is not. In the past there definitely was [2]. Are we perfect and able to predict every vulnerability? No. At the very least, pages are definitely able to lie about the values you access, to confuse/break your script. [1] http://userscripts.org/topics/59723#posts-285967 [2] http://groups.google.com/group/greasemonkey-dev/t/933ecdb307c4386d -- You received this message because you are subscribed to the Google Groups "greasemonkey-users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/greasemonkey-users?hl=en.
