On 4/3/07, troels knak-nielsen <[EMAIL PROTECTED]> wrote: > > This might be of interest. > > http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf >
That paper is very misleading. It doesn't really have anything to do with client-side toolkits at all. The exploit in question ONLY applies to JSON arrays. If the server does not return an array, then the exploit does not work. If you return objects (which almost everyone does anyway) then this exploit does not apply. Bare objects aren't valid JS syntax on their own, but arrays are. Additionally the exploit depends on adding setters to Object, which only works in Firefox and IE (not Safari or Opera). -bob --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "MochiKit" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/mochikit?hl=en -~----------~----~----~----~------~----~------~--~---
