Comments on: Extensions & XMLHttpRequest & eval - Oh My

By: Erwan

Erwan — Fri, 18 Jul 2008 01:04:07 +0000

According to the doc on MDC, we can evaluate JSON either using the jsm (that actually does an eval in sandbox), or using the native component. Since the native component is much faster than the jsm, is there any reason to use the jsm or should we all use the native component?

By: Mark Finkle

Mark Finkle — Fri, 27 Jun 2008 14:07:47 +0000

Thanks Giorgio

By: Giorgio Maone

Giorgio Maone — Fri, 27 Jun 2008 09:20:57 +0000

Do you happen to know any other functions that we should be worried about other than eval()?

new Function(someCode) and node.setAttribute("onSomeEvent", someScript) are two which come to mind. innerHTML can be worrisome too, depending on the context.

By: Cesar

Cesar — Fri, 27 Jun 2008 05:57:16 +0000

Thank you Mark. This is exactly the kind of message we want sent out to developers :). I have denied at least 3 addons for this very reason. It is rare, but it happens. Never maliciously of course.

Do you happen to know any other functions that we should be worried about other than eval()?