Can we have Function.isPure(f)

David Bruant bruant.d at gmail.com
Mon Nov 5 13:28:13 PST 2012


Le 05/11/2012 22:11, Andrea Giammarchi a écrit :
> I see security problems all over ... you own your function, you can 
> make it "pure" or serializable ... you don't know your function, I 
> believe there's no way you want that unknown function to be executed 
> in your own sandbox opening doors for any sort of attack, i.e. ... 
> this is pure, no outer scope access at all: function pure() { 
> function(){return this}.call(null).Function.prototype.serialize = 
> function() { /* boom */ } }
Interesting.
Assuming the own/don't own divide, there is a way to annotate 
(symbol/(Weak)Set) functions that are known pure and export only these.

David


More information about the es-discuss mailing list