[langsec-discuss] how to execute javascript in comments

Daira Hopwood daira at jacaranda.org
Mon Jul 13 23:28:42 UTC 2015

On 25/06/15 06:00, travis+ml-langsec at subspacefield.org wrote:
> https://stackoverflow.com/questions/30727515/why-is-executing-java-code-in-comments-with-certain-unicode-characters-allowed?stw=2

Javascript/ECMAScript has different rules for Unicode escapes than Java. It doesn't
convert \u escapes before lexing; it only interprets them in identifiers and strings.


(This was the same in previous versions, and also in vendor implementations of
Javascript, although there were differences in sets of allowed characters and

Note that MIME charset decoding *is* done before interpreting Javascript. Also
HTML or XML entity expansion is potentially tricky, if the Javascript is embedded
in those.

(If you want to allow only a safe subset, see the FILTER_CDATA rule of
<http://jacaranda.org/jacaranda-spec-0.46.txt>. Note: Jacaranda is a dead project;
I am no longer confident that the general approach it used is sound, and my current
focus is on new languages built from scratch for security.)

Daira Hopwood ⚥

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <https://mail.langsec.org/pipermail/langsec-discuss/attachments/20150714/925f588d/attachment.sig>

More information about the langsec-discuss mailing list