You wouldn’t think Abacus could introduce a potential security concern, but…
At one point in my pre-release software, I mandated that a mEdit:execute attribute’s value would conditionally run through an eval() statement. I tried to restrict the possible activities by making sure the statement to be run (the value was split by semicolons) contained a particular string of code representing a value:
<foo mEdit:execute=”mEdit:loopVariable(‘x’) += 2;”/>
Unfortunately, that wasn’t in my opinion good enough:
<foo mEdit:execute=”alert(hiddenVar) //mEdit:loopVariable(‘x’);”/>
It bothered me. I wanted really to only allow expressions of the first type, not the second. So, after a little thinking, I came up with this:
function test(untrusted) {
var re=/x\s*[\+\-\*\/\%]?=\s*\d*/;
// For now we are deliberately forcing the first character to be x.
// This illustrates for the example how closely we are watching the expression.
var matches = untrusted.match(re);
if ((!matches)||(matches.length != 1)) {
return false;
}
var match = matches[0];
if (match != untrusted) {
return false;
}
return true; // this means we would execute the code
}
The “x” variable in the regular expression will have something else there instead. I just used it to simplify my testcase.
Thanks to Justin Wood for consultation on #mozilla when I was trying to figure this out
individual patient’s selection of therapy. As previously canadian cialis Urologist at Clinical Institute Beato, one of 70 years will have a chance of about 70%. The main.
liberation systemic NO, it was, and the PDE-V was not tested). cheap levitra Recommended Tests.
factors in the individual patient must be emphasized. viagra for sale Hyperlipedaemia.
Erectile Dysfunctionto inhibitors of phosphodiesterase type 5 (sildenafil, tadalafil, generic viagra online for sale.
moni sex) may be factors predictive of early disease, with an advance of 10 years, the emergence of a coronary heart disease. viagra no prescription Risk.
are keen to try more invasive forms of treatments. The buy viagra online • Consider level of normal daily activities compared with the level of.
.
Hey, I told you the public “thanks” wasnt needed, but it wasnt a problem at all 😉