[langsec-discuss] how to execute javascript in comments

Daira Hopwood daira at jacaranda.org
Mon Jul 13 23:28:42 UTC 2015


On 25/06/15 06:00, travis+ml-langsec at subspacefield.org wrote:
> https://stackoverflow.com/questions/30727515/why-is-executing-java-code-in-comments-with-certain-unicode-characters-allowed?stw=2

Javascript/ECMAScript has different rules for Unicode escapes than Java. It doesn't
convert \u escapes before lexing; it only interprets them in identifiers and strings.

<http://www.ecma-international.org/ecma-262/6.0/index.html#sec-comments>
<http://www.ecma-international.org/ecma-262/6.0/index.html#sec-names-and-keywords>
<http://www.ecma-international.org/ecma-262/6.0/index.html#sec-literals-string-literals>

(This was the same in previous versions, and also in vendor implementations of
Javascript, although there were differences in sets of allowed characters and
escapes.)

Note that MIME charset decoding *is* done before interpreting Javascript. Also
HTML or XML entity expansion is potentially tricky, if the Javascript is embedded
in those.

(If you want to allow only a safe subset, see the FILTER_CDATA rule of
<http://jacaranda.org/jacaranda-spec-0.46.txt>. Note: Jacaranda is a dead project;
I am no longer confident that the general approach it used is sound, and my current
focus is on new languages built from scratch for security.)

-- 
Daira Hopwood ⚥

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <https://mail.langsec.org/pipermail/langsec-discuss/attachments/20150714/925f588d/attachment.sig>


More information about the langsec-discuss mailing list