Caja 2007 (was: Innocent code vs Caja)
On Dec 28, 2007 2:30 PM, John Resig <jeresig@gmail.com> wrote:
>
> This seems like a safe hypothesis. Considering that, in jQuery, we're
> usually just looping over vanilla objects to snag their properties
> (treating them like a hash-map) - or looping over custom objects (but
> using for(;;)) - so we'd be safe with these rules.
Thanks for the feedback John, it was very useful. I've just uploaded a
new draft/unready/untested "erights/first-class" gvn microbranch of
caja.js that does not modify Object.prototype at all. As it says at
the beginning of
<http://google-caja.googlecode.com/svn/changes/erights/first-class/trunk/src/js/com/google/caja/caja.js>:
// <i>Innocent code</i> is code which we assume to be ignorant of
// Caja, not to be actively hostile, but which may be buggy (and
// therefore accidentally harmful or exploitable). This corresponds to
// legacy code, such as libraries, that we decide to run untranslated,
// perhaps hidden or tamed, but which needs to co-exist smoothly with
// the Caja runtime.
//
// We assume that innocent code uses unfiltered for/in loops only to
// enumerate direct instances of <tt>Object</tt>, i.e., objects that
// directly inherit from <tt>Object.prototype</tt>.
//
// In order not to disrupt innocent code, the Caja runtime adds no
// properties to <tt>Object.prototype</tt> itself. The only property
// names Caja adds to other primordial objects are names ending in
// triple underbar. The actual spelling of all names ending in triple
// underbar is considered private to the Caja implementation and may
// change without notice over time. Any for/in loops in innocent code
// used to enumerate any primordial object other than
// <tt>Object.prototype</tt>, or any object that inherits from such an
// object, may need to be modified to skip properties ending with
// triple underbar. See <tt>canInnocentEnum</tt> below.
John Resig