A proposal to add String.prototype.format

Oliver Hunt oliver at apple.com
Wed Mar 9 12:06:10 PST 2011


Implicit function calls within string formatting operations seem like the sort of concept that is likely to lead to security problems on websites and the like.

This isn't a matter of "can the engine do this safely" it's a question of whether the author expects arbitrary code execution to occur when they do

String.format("Someone we don't trust left this amazing comment: %s", somethingUntrusted)

For instance ES5 killed off implicit function calls in object and array literals (through accessors on the prototype chain) due to the potential for unsafe operations (namely data leakage) to occur in code that looked "safe".

--Oliver

On Mar 9, 2011, at 10:48 AM, P T Withington wrote:

> On 2011-03-09, at 13:20, Shanjian Li wrote:
> 
>>> It doesn't specify how to print objects, except for %s, which says that if
>>> the argument is not
>>> a string, convert it to string using .toString().
>>> 
>> 
>> If the format specifier does not apply to the argument given, it should
>> raise exceptions. Except string conversion, no other conversion will be
>> done.
> 
> Disagree.  Since ECMAScript knows the type of the arguments, it does _not_ need the format specifier to tell it the type (as C does).  Apparent mismatches should be left open as extensions.  For example, the `x` formatter should simply specify that numeric values should be expressed in base 16, not that the value _must_ be a number.  That way, you could pass an Array of numbers to `x` and see the numbers in base 16.
> 
> _______________________________________________
> es-discuss mailing list
> es-discuss at mozilla.org
> https://mail.mozilla.org/listinfo/es-discuss



More information about the es-discuss mailing list