There's always a security risk with eval, but I don't think it's much of
a problem seeing as how it's all happening on the client... It's how
99% of all webapps execute JSON - which can be much worse as it's coming
from a remote machine!
I didn't want to write a silly little pseudo-eval/read like we have in
swf, which has the same security issues.
On 12/18/09 12:39 PM, P T Withington wrote:
> I agree with Max that if you are trying to pass a literal string, you will
> have to quote it. This interface is expecting a Javascript expression, so it
> would seem the swf behaviour was really a bug.
>
> OTOH, Max: is there a security issue with passing these expressions directly
> to eval in DHTML?
>
> On 2009-12-18, at 14:44, Maynard Demmon wrote:
>
>> Not always, though with my rewritten version I first cast it to a string
>> and escape the ' character. SWF seems fine with whatever is passed in.
>> I've used booleans and strings.
>>
>> -Maynard
>>
>> Max Carlson wrote:
>>> Is value a string? If so, I'd expect it to be quoted...
>>>
>>> On 12/18/09 11:39 AM, Maynard Demmon wrote:
>>>> This fix appears to work. One difference I noticed is that in DHTML I
>>>> had to enclose the value in quotes whereas for swf this wasn't
>>>> necessary. For example, this:
>>>>
>>>> top.lz.embed.callMethod("gRTECallback." + methodName + "("+value+")");
>>>>
>>>> had to be rewritten like this:
>>>>
>>>> top.lz.embed.callMethod("gRTECallback." + methodName + "('"+value+"')");
>>>>
>>>> The quoted version works for both swf and dhtml.
>>>> -Maynard
>>>>
>>>> Max Carlson wrote:
>>>>> Change 20091217-maxcarlson-y by maxcarl...@bank on 2009-12-17 16:24:52
>>>>> PST
>>>>> in /Users/maxcarlson/openlaszlo/trunk-clean
>>>>> for http://svn.openlaszlo.org/openlaszlo/trunk
>>>>>
>>>>> Summary: Add lz.embed[.appid].callMethod() support to DHTML
>>>>>
>>>>> Bugs Fixed: LPP-8676 - callMethod doesn't seem to work in dhtml, only
>>>>> in swf
>>>>>
>>>>> Technical Reviewer: ptw
>>>>> QA Reviewer: mdemmon
>>>>>
>>>>> Details: Add support for callMethod() to the DHTML runtime, complete
>>>>> with queueing when called before the app completes initialization.
>>>>>
>>>>> Tests: Testcase from LPP-8676 shows the same result across runtimes at
>>>>> startup and when clicking the 'Call onclick' button.
>>>>>
>>>>> Files:
>>>>> M lps/includes/source/embednew.js
>>>>>
>>>>> Changeset:
>>>>> http://svn.openlaszlo.org/openlaszlo/patches/20091217-maxcarlson-y.tar
>>>>
>>>>
>>>
>>
>>
>> _______________________________________________
>> Laszlo-reviews mailing list
>> [email protected]
>> http://www.openlaszlo.org/mailman/listinfo/laszlo-reviews
>
--
Regards,
Max Carlson
OpenLaszlo.org
_______________________________________________
Laszlo-reviews mailing list
[email protected]
http://www.openlaszlo.org/mailman/listinfo/laszlo-reviews
