Operator overloading

Joe Walker joe at getahead.org
Sat Mar 24 12:15:25 PDT 2007


Hi,

I blogged about a potential danger of operator overloading in JS2:
http://getahead.org/blog/joe/2007/03/22/operator_overloading_in_javascript_2_and_a_potential_monster_csrf_hole.html

Kris Zyp made a very good point about unitary operators which indicates that
the risk probably does not exist. I hope he is right.

The real worry here is that the designers of the language will, in one spec,
have to out-smart crackers for a long time to come. Once websites start
using a feature, it can't be easily removed. In my opinion, this is a good
case for a 'belt-and-braces' approach to security.

I also wonder if this technique could be used as a way of stealing other
data formats?

Thanks,

Joe.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.mozilla.org/pipermail/es-discuss/attachments/20070324/22fcafac/attachment-0002.html 


More information about the Es4-discuss mailing list