Secure Mode exposes 'window' as 'this'

Work submitted

Pull requests: 1

Contributors: 1

Level: Intermediate

Clojure

Work submitted

Pull requests: 1

Contributors: 1

Level: Intermediate

Clojure

On GitHub

viebel / klipse

Klipse is a Javacript plugin for embedding interactive code snippets in tech blogs. A simple client-side code evaluator pluggable on any web page: clojure, ruby, javascript, python, scheme, es2017, jsx, brainfuck, c++, reagent, lua, ocaml, reasonml, prolog, common lisp
More info >

Issue posted by:

Yannick Scherer

xsc

Description

Within the KLIPSE boxes at the blog post announcing secure mode, it's still possible to run e.g. the following Javascript snippets, exposing things secure mode is trying to hide:

this.document
this.eval("1+2")

Even HTTP requests can be triggered:

var makeXhr = this.Function("return new XMLHttpRequest()");
var xhr = makeXhr.call(this);
...

All this is possible because this is bound to window.

Use Open Source to hire or get hired

On GitHub

viebel / klipse

Issue posted by:

Yannick Scherer

xsc

Login or registerto publish this job!

Login or registerto save this job!

Login or registerto save interesting jobs!

Login or registerto get personalised job recommendations!

Login or registerto get access to all your job applications!

Login or register to start contributing with an article!

Login or registerto see more jobs from this company!

Login or registerto boost this post!

Login or register to search for your ideal job!

Login or register to start working on this issue!

Login or registerto save articles!

Login to see the application

Secure Mode exposes 'window' as 'this'

On GitHub

Description

Use Open Source to hire or get hired

On GitHub

Use Open Source to hire or get hired

Login or register
to publish this job!

Login or register
to save this job!

Login or register
to save interesting jobs!

Login or register
to get personalised job recommendations!

Login or register
to get access to all your job applications!

Login or register
to see more jobs from this company!

Login or register
to boost this post!

Login or register
to save articles!