Jacaranda 0.3 incorrectly assumes that a += operator returns a number,
when in fact it can return a number or string. Also, the ++ and --
operators are incorrectly implemented on Internet Explorer, and may
not return a number.
This allows the following exploits (in theory, since Jacaranda 0.3
has not been implemented):
// All ES3 implementations
(function() {
var c = 'constructor';
var F = (function(){})[c += '']; // Function constructor
F('alert("toast");')();
)();
// Internet Explorer / JScript only
(function() {
c = 'constructor';
var F = (function(){})[c++]; // Function constructor
F('alert("toast");')();
})();
In Jacaranda 0.4,
'+=' expressions will be treated only as 1st-class, not exposed.
(The right-hand-side of the += is not restricted.)
postincrement/postdecrement will not be treated as exposed, except
in modules that are marked as depending on ES3.1.
do not return a number value (or a decimal value in the case of
ES3.1), either in correctly implemented ES3 / ES3.1 Kona draft, or
due to a bug in any common JavaScript implementation?
Jacaranda 0.3 incorrectly assumes that a += operator returns a number,
when in fact it can return a number or string. Also, the ++ and --
operators are incorrectly implemented on Internet Explorer, and may
not return a number.
This allows the following exploits (in theory, since Jacaranda 0.3
has not been implemented):
// All ES3 implementations
(function() {
var c = 'constructor';
var F = (function(){})[c += '']; // Function constructor
F('alert("toast");')();
)();
// Internet Explorer / JScript only
(function() {
c = 'constructor';
var F = (function(){})[c++]; // Function constructor
F('alert("toast");')();
})();
In Jacaranda 0.4,
- '+=' expressions will be treated only as 1st-class, not exposed.
(The right-hand-side of the += is not restricted.)
- postincrement/postdecrement will not be treated as exposed, except
in modules that are marked as depending on ES3.1.
Does anyone know of any remaining cases where:
- unary operators +, -, ~
- prefix operators ++ and --
- postfix operators ++ and --
- binary operators *, /, %, -, <<, >>, >>>, &, ^, |
- assignment operators *=, /=, %=, -=, <<=, >>=, >>>=, &=, ^=, |=
do not return a number value (or a decimal value in the case of
ES3.1), either in correctly implemented ES3 / ES3.1 Kona draft, or
due to a bug in any common JavaScript implementation?
--
David-Sarah Hopwood
Jacaranda 0.3 incorrectly assumes that a += operator returns a number, when in fact it can return a number or string. Also, the ++ and -- operators are incorrectly implemented on Internet Explorer, and may not return a number.
This allows the following exploits (in theory, since Jacaranda 0.3 has not been implemented):
// All ES3 implementations (function() { var c = 'constructor'; var F = (function(){})[c += '']; // Function constructor F('alert("toast");')(); )();
// Internet Explorer / JScript only (function() { c = 'constructor'; var F = (function(){})[c++]; // Function constructor F('alert("toast");')(); })();
In Jacaranda 0.4,
Does anyone know of any remaining cases where:
do not return a number value (or a decimal value in the case of ES3.1), either in correctly implemented ES3 / ES3.1 Kona draft, or due to a bug in any common JavaScript implementation?
Jacaranda 0.3 incorrectly assumes that a += operator returns a number, when in fact it can return a number or string. Also, the ++ and -- operators are incorrectly implemented on Internet Explorer, and may not return a number. This allows the following exploits (in theory, since Jacaranda 0.3 has not been implemented): // All ES3 implementations (function() { var c = 'constructor'; var F = (function(){})[c += '']; // Function constructor F('alert("toast");')(); )(); // Internet Explorer / JScript only (function() { c = 'constructor'; var F = (function(){})[c++]; // Function constructor F('alert("toast");')(); })(); In Jacaranda 0.4, - '+=' expressions will be treated only as 1st-class, not exposed. (The right-hand-side of the += is not restricted.) - postincrement/postdecrement will not be treated as exposed, except in modules that are marked as depending on ES3.1. Does anyone know of any remaining cases where: - unary operators +, -, ~ - prefix operators ++ and -- - postfix operators ++ and -- - binary operators *, /, %, -, <<, >>, >>>, &, ^, | - assignment operators *=, /=, %=, -=, <<=, >>=, >>>=, &=, ^=, |= do not return a number value (or a decimal value in the case of ES3.1), either in correctly implemented ES3 / ES3.1 Kona draft, or due to a bug in any common JavaScript implementation? -- David-Sarah Hopwood