You wouldn't think Abacus could introduce a potential security concern, but...
At one point in my pre-release software, I mandated that a mEdit:execute attribute's value would conditionally run through an eval() statement. I tried to restrict the possible activities by making sure the statement to be run (the value was split by semicolons) contained a particular string of code representing a value:
<foo mEdit:execute="mEdit:loopVariable('x') += 2;"/>
Unfortunately, that wasn't in my opinion good enough:
<foo mEdit:execute="alert(hiddenVar) //mEdit:loopVariable('x');"/>
It bothered me. I wanted really to only allow expressions of the first type, not the second. So, after a little thinking, I came up with this:
function test(untrusted) {
var re=/x\s*[\+\-\*\/\%]?=\s*\d*/;
// For now we are deliberately forcing the first character to be x.
// This illustrates for the example how closely we are watching the expression.
var matches = untrusted.match(re);
if ((!matches)||(matches.length != 1)) {
return false;
}
var match = matches[0];
if (match != untrusted) {
return false;
}
return true; // this means we would execute the code
}
The "x" variable in the regular expression will have something else there instead. I just used it to simplify my testcase.
Thanks to Justin Wood for consultation on #mozilla when I was trying to figure this out.
Posted by WeirdAl at July 28, 2004 11:43 PMHey, I told you the public "thanks" wasnt needed, but it wasnt a problem at all ;-)
Posted by: Justin Wood (Callek) at July 30, 2004 2:00 AM