DOM based AngularJS sandbox escapes

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

DOM based AngularJS sandbox escapes

Gareth Heyes
Hi all

I thought I'd share my AngularJS talk because it has a few js bugs/features. Chrome allows you to call __lookupGetter__ in the context of window when called as a general function not as a member function. 

There are also a load of getters now available on window such as event which leads to a sandbox escape.

Firefox allows you use __lookGetter__ to get caller no other browser does this. There are many more quirks explained in the talk and blog.


Cheers
Gareth

_______________________________________________
es-discuss mailing list
[hidden email]
https://mail.mozilla.org/listinfo/es-discuss
Reply | Threaded
Open this post in threaded view
|

Re: DOM based AngularJS sandbox escapes

T.J. Crowder-2
On Wed, Aug 30, 2017 at 11:36 AM, Gareth Heyes
<[hidden email]> wrote:
>
> I thought I'd share my AngularJS talk because it has a few js bugs/features.

I recommend opening proper issues (if they aren't already reported) in the appropriate locations (e.g., the [V8 issue list][1], [Chromium issue list][2], [Bugzilla][3], ...).

-- T.J. Crowder



_______________________________________________
es-discuss mailing list
[hidden email]
https://mail.mozilla.org/listinfo/es-discuss