4.16 KB, patch
|Details | Diff | Splinter Review|
52.66 KB, text/plain
As Brendan warned in bug 87980, there may be other places where eval() or new Function calls may allow the running of unescaped or otherwise dangerous code. Jesse, please do an lxr search on the calls Brendan mentioned and look for potentially dangerous usages.
email@example.com, nice. /be
r=mstoltz. Let's check it in!
jat checked in the eval fix above for me because I was having trouble checking in. I'll do setTimeout next. (I didn't get all the evals, since I couldn't figure out what it was being used for in every case.)
Less important bugs retargeted to 0.9.9
Target Milestone: mozilla0.9.7 → mozilla0.9.9
Target Milestone: mozilla0.9.9 → mozilla1.0
I was just thinking about eval() in chrome. Is anyone still interested in this bug?
Search for /."/ (slashes delimit the text to find) in attachment 155057 [details] and you will find more than a few bogus evals. The first one is this: eval( "gICalLib."+functionToRun+"( calendarEvent, Server )" ); It should be done away with like so: gICalLib[functionToRun]( calendarEvent, Server ); And so on for the rest. /be
Status: NEW → RESOLVED
Last Resolved: 20 days ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1473549
You need to log in before you can comment on or make changes to this bug.