Wow. No, we had no idea. I admit that I am shocked that the one tight
Cajita, ADsafe, FBJS, Jacaranda) already prevent access to the eval
function, as they must. So we should all be safe from this particular
new hole. However, so long as browser vendors feel free to quietly
introduce holes this large in existing functions...
> On Fri, Jun 27, 2008 at 1:44 AM, Mario Heiderich
> <Mario.H...@googlemail.com> wrote:
>> Just in case this is not known/intercepted yet.
> Wow. No, we had no idea. I admit that I am shocked that the one tight
> has now been ruined.
There's no "now" -- this old eval extension was added over ten years
3.2 <fur> 1998-04-23 17:30
This eval extension, if memory serves (I was in mozilla.org at the
time, not in the JS group at Netscape) originated in conversations
with Microsoft's rep during ECMA-262 standardization, trying to reach
agreement on a way to eval in other scopes.
> Cajita, ADsafe, FBJS, Jacaranda) already prevent access to the eval
> function, as they must. So we should all be safe from this particular
> new hole. However, so long as browser vendors feel free to quietly
> introduce holes this large in existing functions...
Mark, just because you discovered this does not mean that it was just
added. That you jumped to this conclusion makes me think "browser
vendors" (or really, Netscape then, but you must mean Mozilla now)
are fair game for collective blame. I hope not.
We've been removing old eval extensions (or pre-ECMA-262 modes, some
of this pre-dates standardization) in Firefox releases as we wean
people off of them. First to go was eval as a method on
Object.prototype -- that's gone in Firefox 3, and I mentioned this to
Doug at the January Ecma TC39 face to face (he did not know and had
thought that we couldn't remove it). We will remove this optional
second argument in a future release, as soon as we can.
I'd like to point out, while we are on this subject, that various
"secure eval" discussions and proposals in Ecma TC39/TG1 going back
to 2006, including
have run the risk (depending on how they are specified in detail) of
opening this hole in the standardized language. See
where the hazard of any kind of scope or context second argument to
eval is raised by Lars Hansen.
This hazard is exactly what Peter rediscovered. From the Ajaxian
thread it seems people are trying to devise workarounds that wrap
eval and try to tame it. The only safe course is to wrap eval and
suppress the second argument entirely.
This bug tracks removal of eval's optional second argument:
Hi Brendan, I was completely unaware of this history and did indeed
think that this was a newly opened hole. I'm very pleased to find that
it isn't. I'm especially pleased to hear that you folks plan to remove
this in a future release. Thanks for the clarification!