On 2009-12-18, at 15:44, Max Carlson wrote:
> There's always a security risk with eval, but I don't think it's much of
> a problem seeing as how it's all happening on the client... It's how
> 99% of all webapps execute JSON - which can be much worse as it's coming
> from a remote machine!
Fixed in ES5, now an accepted standard, hopefully coming to a browser near you
soon!
> I didn't want to write a silly little pseudo-eval/read like we have in
> swf, which has the same security issues.
Or odd behaviour, such as what Maynard discovered. I assume it is the
pseudo-eval that is is causing unbound symbols to be interpreted as strings in
swf?
> On 12/18/09 12:39 PM, P T Withington wrote:
>> I agree with Max that if you are trying to pass a literal string, you will
>> have to quote it. This interface is expecting a Javascript expression, so
>> it would seem the swf behaviour was really a bug.
>>
>> OTOH, Max: is there a security issue with passing these expressions directly
>> to eval in DHTML?
>>
>> On 2009-12-18, at 14:44, Maynard Demmon wrote:
>>
>>> Not always, though with my rewritten version I first cast it to a string
>>> and escape the ' character. SWF seems fine with whatever is passed in.
>>> I've used booleans and strings.
>>>
>>> -Maynard
>>>
>>> Max Carlson wrote:
>>>> Is value a string? If so, I'd expect it to be quoted...
>>>>
>>>> On 12/18/09 11:39 AM, Maynard Demmon wrote:
>>>>> This fix appears to work. One difference I noticed is that in DHTML I
>>>>> had to enclose the value in quotes whereas for swf this wasn't
>>>>> necessary. For example, this:
>>>>>
>>>>> top.lz.embed.callMethod("gRTECallback." + methodName + "("+value+")");
>>>>>
>>>>> had to be rewritten like this:
>>>>>
>>>>> top.lz.embed.callMethod("gRTECallback." + methodName + "('"+value+"')");
>>>>>
>>>>> The quoted version works for both swf and dhtml.
>>>>> -Maynard
>>>>>
>>>>> Max Carlson wrote:
>>>>>> Change 20091217-maxcarlson-y by maxcarl...@bank on 2009-12-17 16:24:52
>>>>>> PST
>>>>>> in /Users/maxcarlson/openlaszlo/trunk-clean
>>>>>> for http://svn.openlaszlo.org/openlaszlo/trunk
>>>>>>
>>>>>> Summary: Add lz.embed[.appid].callMethod() support to DHTML
>>>>>>
>>>>>> Bugs Fixed: LPP-8676 - callMethod doesn't seem to work in dhtml, only
>>>>>> in swf
>>>>>>
>>>>>> Technical Reviewer: ptw
>>>>>> QA Reviewer: mdemmon
>>>>>>
>>>>>> Details: Add support for callMethod() to the DHTML runtime, complete
>>>>>> with queueing when called before the app completes initialization.
>>>>>>
>>>>>> Tests: Testcase from LPP-8676 shows the same result across runtimes at
>>>>>> startup and when clicking the 'Call onclick' button.
>>>>>>
>>>>>> Files:
>>>>>> M lps/includes/source/embednew.js
>>>>>>
>>>>>> Changeset:
>>>>>> http://svn.openlaszlo.org/openlaszlo/patches/20091217-maxcarlson-y.tar
>>>>>
>>>>>
>>>>
>>>
>>>
>>> _______________________________________________
>>> Laszlo-reviews mailing list
>>> [email protected]
>>> http://www.openlaszlo.org/mailman/listinfo/laszlo-reviews
>>
>
> --
> Regards,
> Max Carlson
> OpenLaszlo.org
> _______________________________________________
> Laszlo-reviews mailing list
> [email protected]
> http://www.openlaszlo.org/mailman/listinfo/laszlo-reviews
_______________________________________________
Laszlo-reviews mailing list
[email protected]
http://www.openlaszlo.org/mailman/listinfo/laszlo-reviews
