The swf behavior is a bug in the pseudo-evaluator. I filed as
http://jira.openlaszlo.org/jira/browse/LPP-8677
On 12/18/09 12:58 PM, P T Withington wrote:
> On 2009-12-18, at 15:44, Max Carlson wrote:
>
>> There's always a security risk with eval, but I don't think it's much of
>> a problem seeing as how it's all happening on the client... It's how
>> 99% of all webapps execute JSON - which can be much worse as it's coming
>> from a remote machine!
>
> Fixed in ES5, now an accepted standard, hopefully coming to a browser near
> you soon!
>
>> I didn't want to write a silly little pseudo-eval/read like we have in
>> swf, which has the same security issues.
>
> Or odd behaviour, such as what Maynard discovered. I assume it is the
> pseudo-eval that is is causing unbound symbols to be interpreted as strings
> in swf?
>
>> On 12/18/09 12:39 PM, P T Withington wrote:
>>> I agree with Max that if you are trying to pass a literal string, you will
>>> have to quote it. This interface is expecting a Javascript expression, so
>>> it would seem the swf behaviour was really a bug.
>>>
>>> OTOH, Max: is there a security issue with passing these expressions
>>> directly to eval in DHTML?
>>>
>>> On 2009-12-18, at 14:44, Maynard Demmon wrote:
>>>
>>>> Not always, though with my rewritten version I first cast it to a string
>>>> and escape the ' character. SWF seems fine with whatever is passed in.
>>>> I've used booleans and strings.
>>>>
>>>> -Maynard
>>>>
>>>> Max Carlson wrote:
>>>>> Is value a string? If so, I'd expect it to be quoted...
>>>>>
>>>>> On 12/18/09 11:39 AM, Maynard Demmon wrote:
>>>>>> This fix appears to work. One difference I noticed is that in DHTML I
>>>>>> had to enclose the value in quotes whereas for swf this wasn't
>>>>>> necessary. For example, this:
>>>>>>
>>>>>> top.lz.embed.callMethod("gRTECallback." + methodName + "("+value+")");
>>>>>>
>>>>>> had to be rewritten like this:
>>>>>>
>>>>>> top.lz.embed.callMethod("gRTECallback." + methodName + "('"+value+"')");
>>>>>>
>>>>>> The quoted version works for both swf and dhtml.
>>>>>> -Maynard
>>>>>>
>>>>>> Max Carlson wrote:
>>>>>>> Change 20091217-maxcarlson-y by maxcarl...@bank on 2009-12-17 16:24:52
>>>>>>> PST
>>>>>>> in /Users/maxcarlson/openlaszlo/trunk-clean
>>>>>>> for http://svn.openlaszlo.org/openlaszlo/trunk
>>>>>>>
>>>>>>> Summary: Add lz.embed[.appid].callMethod() support to DHTML
>>>>>>>
>>>>>>> Bugs Fixed: LPP-8676 - callMethod doesn't seem to work in dhtml, only
>>>>>>> in swf
>>>>>>>
>>>>>>> Technical Reviewer: ptw
>>>>>>> QA Reviewer: mdemmon
>>>>>>>
>>>>>>> Details: Add support for callMethod() to the DHTML runtime, complete
>>>>>>> with queueing when called before the app completes initialization.
>>>>>>>
>>>>>>> Tests: Testcase from LPP-8676 shows the same result across runtimes at
>>>>>>> startup and when clicking the 'Call onclick' button.
>>>>>>>
>>>>>>> Files:
>>>>>>> M lps/includes/source/embednew.js
>>>>>>>
>>>>>>> Changeset:
>>>>>>> http://svn.openlaszlo.org/openlaszlo/patches/20091217-maxcarlson-y.tar
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Laszlo-reviews mailing list
>>>> [email protected]
>>>> http://www.openlaszlo.org/mailman/listinfo/laszlo-reviews
>>>
>>
>> --
>> Regards,
>> Max Carlson
>> OpenLaszlo.org
>> _______________________________________________
>> Laszlo-reviews mailing list
>> [email protected]
>> http://www.openlaszlo.org/mailman/listinfo/laszlo-reviews
>
--
Regards,
Max Carlson
OpenLaszlo.org
_______________________________________________
Laszlo-reviews mailing list
[email protected]
http://www.openlaszlo.org/mailman/listinfo/laszlo-reviews
