semicolon insertion for UseSubsetDirectives

Mark S. Miller erights at google.com
Thu Oct 30 11:57:02 PDT 2008


[+es3.x-discuss]

(Please keep es3.x-discuss on the addressee list of messages relating
to the ES3.1 spec.)

On Thu, Oct 30, 2008 at 11:38 AM, Waldemar Horwat <waldemar at google.com> wrote:
> As you suggested, the simplest solution is to make the semicolon after the
> use directive string literal mandatory.
>
>   Waldemar
>
> Mike Samuel wrote:
>>
>> How does the following program parse in the presence of ES3.1
>> UseSubsetDirectives?
>>
>> "use strict"
>> + new Foo()
>>
>> Does semicolon insertion work after UseSubsetDirectives?  Even if the next
>> token is an operator that can validly follow a string literal in that
>> context?
>>
>> Does it matter that the Foo instance's valueOf would be invoked with a
>> type hint of undefined under ES3, but with a type hint of 'number' under
>> ES3.1?
>>
>>
>> In another weird case:
>>
>> "use strict"
>> /foo,'/* blah()  /**/ //'
>>
>> In ES3, this is the same as
>>  ("use strict" / foo), "\x27\x2a blah\x28\x29  \x27\x2a\x2a\x27 \x27\x27"
>> but if a semicolon is inserted without regards for the following token
>> being an operator, the / starts a regexp, so it becomes the same as
>>  "use strict";
>>  (/foo , \x22/) * blah();
>>
>>
>> I think the difference in behavior in the first case is ignorable, but the
>> significant change in AST produced in the second provides a lot of
>> opportunity for security breaches.
>> Disallowing semicolon insertion after a UseSubsetDirective, so that the
>> tokenization is the same would solve that, and I think lint tools and
>> interpreter warnings can advise when a string token that looks like a use
>> subset is being ignored because a semicolon is lacking.
>>
>> mike
>
> _______________________________________________
> Es-discuss mailing list
> Es-discuss at mozilla.org
> https://mail.mozilla.org/listinfo/es-discuss
>



-- 
    Cheers,
    --MarkM


More information about the Es-discuss mailing list