|
FunctionConstructor
Function constructor accessible via the 'constructor' propertyEffectExecution of unsanitized code in the global scope BackgroundAs discussed at http://code.google.com/p/google-javascript-type-system/issues/detail?id=2 the Function constructor allows for execution of unsanitized code. EcmaScript 262 section 15.3.4.1 Function.prototype.constructor The initial value of Function.prototype.constructor is the built-in Function constructor. AssumptionsThe Function constructor has not been replaced with something innocuous. VersionsAll Example((function () {}).constructor)(
'alert("document.cookie = " + document.cookie)')()
| |
► Sign in to add a comment