How to modify the scope chain without `with` ?
michalwadas at gmail.com
Tue Feb 16 15:45:24 UTC 2016
2016-02-16 15:51 GMT+01:00 Coroutines <coroutines at gmail.com>:
> Having the ability to derive from "global" (only in Node) and
> prepare an Object to run an function within as its global context
> would be an invaluable ability. (imo)
It seems like an obvious idea, but in fact it's almost impossible to secure
- consider `true.constructor.constructor("alert('XSS')")()`
ECMAScript lacks secure sandbox that would work in every browser, but such
limited scope manipulation is totally useless as "secure sandbox".
BTW, such limited scope manipulation is already possible, see how my
library works there -
(it heavily uses `eval`).
Sending again because of wrong "to".
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the es-discuss