Andrea,
in my previous message there were errors in the code; too sleepy to
type.
Last line should have been "alert(typeof img.onabort)".
This is what works on FF3 without appending to DOM, doesn't work on IE
6 (I re-tested it).
var img = document.createElement("img");
img.setAttribute("onabort", "alert(1)");
alert(typeof img.onabort);
A similar workaround may be used for IE 6 compatibility, again without
adding to the DOM:
var orphan = document.createElement('orphan');
orphan.innerHTML = '<img onerror="alert(1)" />';
alert(typeof orphan.firstChild.onerror);
Probably not appending is less resource demanding.
It was just curiosity about what others think about this since it
poses some security concerns like we have seen for "eval" and friends.
I have nothing wrong with current globalEval. Just poking around and
see what could be done and what could/should not be done.
Thank you for answering,
--
Diego Perini
On 18 Set, 13:15, "Andrea Giammarchi" <[EMAIL PROTECTED]>
wrote:
> Last version:
>
> globalEval = (function(Image){
> Image.style.position = "absolute";
> Image.style.left
> Image.style.top = "-10000px";
> return function(eval){
> var body = document.body || document.documentElement;
> (Image = Image.cloneNode(true)).setAttribute("onerror", eval);
> body.appendChild(Image);
> Image.onerror.call(null);
> body.removeChild(Image);
> }
>
> })(new Image(1, 1));
>
> But for described reason, all this stuff become the same of this one,
> correct?
>
> globalEval = function(){Function(arguments[0])()};
>
> :-)
>
> On Thu, Sep 18, 2008 at 11:57 AM, Andrea Giammarchi <
>
> [EMAIL PROTECTED]> wrote:
> > Still me, Diego :-)
>
> > I was confused about the usage of cuntion inside the setAttribute.
>
> > As you know, it is a function by default, so this example works, but there
> > are still problems I was talking about:
>
> > onload = function(){
> > var img = document.createElement("img");
> > img.setAttribute("onerror", "alert([this, arguments.length])");
> > document.body.appendChild(img);
> > img.onerror();
> > document.body.removeChild(img);
> > };
>
> > To solve it we could simply use a function like this one:
>
> > globalEval = (function(Image){
> > Image.style.position = "absolute";
> > Image.style.left
> > Image.style.top = "-10000px";
> > return function(eval){
> > Image.setAttribute("onerror", eval);
> > with(document.body || document.documentElement){
> > appendChild(Image);
> > Image.onerror.call(null);
> > removeChild(Image)
> > }
> > }
> > })(new Image(1, 1));
>
> > But the arguments problem is still there:
>
> > arguments = [1,2,3];
> > globalEval("document.write([arguments.length, arguments.callee])");
>
> > 0,function onerror(event, source, lineno) {
> > document.write([arguments.length, arguments.callee]); }
>
> > Kind Regards
>
> > On Thu, Sep 18, 2008 at 9:18 AM, Andrea Giammarchi <
> > [EMAIL PROTECTED]> wrote:
>
> >> Hi Diego,
>
> >> in my test cases your example does not work.
> >> At the same time, I am not sure you have to put the image in the DOM,
> >> before the event could be called.
>
> >> If you need to do it, the evaluation will be async, so as globalEval
> >> replacement, it is not that good.
>
> >> If not, you are still evaluating "whatever" inside a function and, as you
> >> know, this simply means that if you have a global scope variable, called
> >> arguments, you will never be able to use it as is, unless you specify the
> >> global object as prefix (window or self, because this will be the image
> >> itself)
>
> >> I wonder why you are still looking for a globalEval alternative. What I
> >> mean is: which kind of problem has the current solution?
>
> >> I would like to know it and try to fix it, if it is possible, since "I
> >> feel a bit responsible" for that code :-)
>
> >> Regards
>
> >> On Thu, Sep 18, 2008 at 1:23 AM, Diego Perini <[EMAIL PROTECTED]>wrote:
>
> >>> Hi devs,
> >>> would like to leave a note on this, seem interesting and maybe can be
> >>> used as an alternative to globalEval.
>
> >>> It turns out that we have another way to evaluate javascript strings
> >>> easily, namely by using setAttribute() to assign a string value to
> >>> some specific attribute like the DOM 0 (or in-line) event.
>
> >>> So, at first I tried using the standard body "onload" attribute, but I
> >>> in IE that didn't work as in FF.
>
> >>> Then I did some test with an image and that worked both in FF and in
> >>> IE (believe it works in other browsers too).
>
> >>> var img = document.createElement('img'); // or just new Image();
> >>> img.setAttribute("onabort", "function () {}"); // onerror, onload also
> >>> works
> >>> alert(typeof img.onload); // yeld function instead of string...good.
>
> >>> I was thinking to this while thinking to Air, Caja and similars.
>
> >>> Evil...good...useful ?
>
> >>> Your thoughts appreciated.
>
> >>> --
> >>> Diego Perini
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"jQuery Development" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/jquery-dev?hl=en
-~----------~----~----~----~------~----~------~--~---
