We use cookies and other tracking technologies to improve your browsing experience on our site, analyze site traffic, and understand where our audience is coming from. To find out more, please read our privacy policy.

By choosing 'I Accept', you consent to our use of cookies and other tracking technologies.

We use cookies and other tracking technologies to improve your browsing experience on our site, analyze site traffic, and understand where our audience is coming from. To find out more, please read our privacy policy.

By choosing 'I Accept', you consent to our use of cookies and other tracking technologies. Less

We use cookies and other tracking technologies... More

Login or register
to publish this job!

Login or register
to save this job!

Login or register
to save interesting jobs!

Login or register
to get access to all your job applications!

Login or register to start contributing with an article!

Login or register
to see more jobs from this company!

Login or register
to boost this post!

Show some love to the author of this blog by giving their post some rocket fuel 🚀.

Login or register to search for your ideal job!

Login or register to start working on this issue!

Login or register
to save articles!

Login to see the application

Engineers who find a new job through Blockchain Works average a 15% increase in salary 🚀

You will be redirected back to this page right after signin

Secure Mode exposes 'window' as 'this'

Pull requests: 1
Contributors: 1
Level: Intermediate
  • Clojure
Pull requests: 1
Contributors: 1
Level: Intermediate
  • Clojure

On GitHub

Klipse is a Javacript plugin for embedding interactive code snippets in tech blogs. A simple client-side code evaluator pluggable on any web page: clojure, ruby, javascript, python, scheme, es2017, jsx, brainfuck, c++, reagent, lua, ocaml, reasonml, prolog, common lisp
More info >

Issue posted by: 
xsc's avatar

Yannick Scherer

Description

Within the KLIPSE boxes at the blog post announcing secure mode, it's still possible to run e.g. the following Javascript snippets, exposing things secure mode is trying to hide:

this.document
this.eval("1+2")

Even HTTP requests can be triggered:

var makeXhr = this.Function("return new XMLHttpRequest()");
var xhr = makeXhr.call(this);
...

All this is possible because this is bound to window.

  • bug

Use Open Source Issues to hire or get hired

On GitHub

Klipse is a Javacript plugin for embedding interactive code snippets in tech blogs. A simple client-side code evaluator pluggable on any web page: clojure, ruby, javascript, python, scheme, es2017, jsx, brainfuck, c++, reagent, lua, ocaml, reasonml, prolog, common lisp
More info >

Issue posted by: 
xsc's avatar

Yannick Scherer

Use Open Source Issues to hire or get hired

Secure Mode exposes 'window' as 'this'
View on GitHub