Menu
▾
▴
[DynAPI-notify] [ dynapi-Bugs-1253578 ] Need to avoid some one adding protype to object
|
From: SourceForge.net <no...@so...> - 2005-08-08 03:37:17
|
Bugs item #1253578, was opened at 2005-08-07 11:16 Message generated for change (Comment added) made by warp9pnt9 You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=105757&aid=1253578&group_id=5757 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: DynAPI 3 API Group: Verified Status: Open Resolution: None Priority: 5 Submitted By: qq365 (qq365) >Assigned to: L W (warp9pnt9) Summary: Need to avoid some one adding protype to object Initial Comment: In other js file, someone maybe add function like: object.prototype.toXML so, need to avoid some one adding protype to object. For example: in event.js, line 342 ---need change for (id in this._childAnchors) this._updateAnchor(id); ---to for (id in this._childAnchors) { if(typeof this._childAnchors[id] != 'function') this._updateAnchor(id); } in ioelement.sync.js, line 33 ---need change nv[nv.length]=i+'='+((mod!='get')? data [i]:IOElement.URLEncode(data[i])); ---to if(typeof data[i] !="function") nv[nv.length]=i+'='+((mod!='get')? data [i]:IOElement.URLEncode(data[i])); ---------------------------------------------------------------------- >Comment By: L W (warp9pnt9) Date: 2005-08-07 23:37 Message: Logged In: YES user_id=706287 I'm not sure I fully understand what you mean. Can you explain better? Give a specific example of how this is a problem. I would venture a guess that this refers to some sort of scripting vulnerability? Presumably cross-site? Maybe one site uses JavaScript, and another site spoofs the page, and stuff in some additional JavaScript to peek at the information going between the client and the server, to log elsewhere? I'd definitely understand if you upload an attachment with a self-contained example with all involved files (zip, 7z, tar.bz2, etc.), and instructions on what to observe. I can set up two servers on localhost, or one local and another on the internet, and make a test case, analyze packet logs, anything. Just tell me what to look for. If someone else understands please explain. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=105757&aid=1253578&group_id=5757 |
