DOM based AngularJS sandbox escapes

Gareth Heyes gareth.heyes at
Wed Aug 30 10:36:00 UTC 2017

Hi all

I thought I'd share my AngularJS talk because it has a few js bugs/features. Chrome allows you to call __lookupGetter__ in the context of window when called as a general function not as a member function. 

There are also a load of getters now available on window such as event which leads to a sandbox escape.

Firefox allows you use __lookGetter__ to get caller no other browser does this. There are many more quirks explained in the talk and blog.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the es-discuss mailing list