Comments on: FBJS-Like test console http://blog.hedgerwow.com/2008/01/02/fbjs-like-test-console/ Keep It Simple, Stupid Tue, 17 Mar 2009 04:28:56 +0000 http://wordpress.org/?v=2.0.5 by: Peter Goodman http://blog.hedgerwow.com/2008/01/02/fbjs-like-test-console/#comment-176 Tue, 15 Jan 2008 04:46:14 +0000 http://blog.hedgerwow.com/2008/01/02/fbjs-like-test-console/#comment-176 There seems to be a problem when dealing with inline regular expressions where it treats everything with / and / as normal variables. There seems to be a problem when dealing with inline regular expressions where it treats everything with / and / as normal variables.

]]> by: hedger http://blog.hedgerwow.com/2008/01/02/fbjs-like-test-console/#comment-171 Fri, 04 Jan 2008 03:15:00 +0000 http://blog.hedgerwow.com/2008/01/02/fbjs-like-test-console/#comment-171 Thank Peter, I had written my codes and your codes should be handled correctly now. Please keep me posted if you find any malicious codes. :-D Thank Peter, I had written my codes and your codes should be handled correctly now.

Please keep me posted if you find any malicious codes.

:-D

]]> by: Peter Goodman http://blog.hedgerwow.com/2008/01/02/fbjs-like-test-console/#comment-170 Fri, 04 Jan 2008 01:17:15 +0000 http://blog.hedgerwow.com/2008/01/02/fbjs-like-test-console/#comment-170 Here is a less convoluted example: (function(){ // 'this' is the window object alert(this); })(); Here is a less convoluted example:

(function(){
// ‘this’ is the window object
alert(this);
})();

]]> by: Peter Goodman http://blog.hedgerwow.com/2008/01/02/fbjs-like-test-console/#comment-169 Fri, 04 Jan 2008 00:59:03 +0000 http://blog.hedgerwow.com/2008/01/02/fbjs-like-test-console/#comment-169 I have found another hole: ("".prototype = function() { this["eval"]("alert('hello world.')"); })(); Unless of course, when it displays the around a string that means something. Also, if a normal variable 'prototype' is used, it is not filtered. I have found another hole:

(”".prototype = function() {
this[”eval”](”alert(’hello world.’)”);
})();

Unless of course, when it displays the around a string that means something. Also, if a normal variable ‘prototype’ is used, it is not filtered.

]]> by: hedgerwang http://blog.hedgerwow.com/2008/01/02/fbjs-like-test-console/#comment-168 Thu, 03 Jan 2008 19:53:34 +0000 http://blog.hedgerwow.com/2008/01/02/fbjs-like-test-console/#comment-168 Thanks, it's fixed now :-D Thanks, it’s fixed now :-D

]]> by: Peter Goodman http://blog.hedgerwow.com/2008/01/02/fbjs-like-test-console/#comment-167 Thu, 03 Jan 2008 06:05:26 +0000 http://blog.hedgerwow.com/2008/01/02/fbjs-like-test-console/#comment-167 It seems to screw up on: eval("alert('hello world');"); producing: SANDBOX_eval("alert('SANDBOX_hello SANDBOX_world');"); Also, it fails to stop the following possible exploit (for IE): //@cc_on eval("alert('hello world');") Otherwise, very cool! It seems to screw up on:
eval(”alert(’hello world’);”);

producing:
SANDBOX_eval(”alert(’SANDBOX_hello SANDBOX_world’);”);

Also, it fails to stop the following possible exploit (for IE):
//@cc_on eval(”alert(’hello world’);”)

Otherwise, very cool!

]]>