Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Posted by: bubbles
Date: February 09, 2007 12:19PM

Seems to me that all this is used for in javascript is to bypass filters when executing xss attacks. Im sure there are legitimate reasons for having it, but it seems to me that it does more harm than good. Anyway, just a thought, was curious what you guys think.


Options: ReplyQuote
Re: String.fromCharCode
Posted by: Kyran
Date: February 09, 2007 12:29PM

Yup, imo this has no legitimate uses unless you need a really weird character that it has access to and for some reason you can't just copy-paste it. But even that's a little obscure.

- Kyran

Options: ReplyQuote
Re: String.fromCharCode
Posted by: kuza55
Date: February 09, 2007 07:54PM

Its actually quite useful when doing automated string manipulation, e.g. writing a caeser or vignere or similar cipher would be next to impossible (its doable because you can create your own version of the function by creating an array which acted like a lookup table).

But quite seriously; I don't think that removing functionality from one language is a very good way to stop vulnerabilities in applications written in other languages.

And even if we remove it there are still things like this: http://ha.ckers.org/xss.html#XSS_no_single_double_quotes_semicolon

And even if you remove both of those; if you can inject js. you can almost certainly inject a form, with an attribute which has js in it, and then all you need to do is eval(document.forms[3].attribute_name) and you're executing js, and we can't destropy that since it will break a lot of old apps.

Options: ReplyQuote
Re: String.fromCharCode
Posted by: SW
Date: February 10, 2007 03:19AM

Very good point kuza. What if you want to manipulate chars as their ascii codes? I made a few functions to do this because I never knew about this function in the past lol. >:O

Options: ReplyQuote

Sorry, only registered users may post in this forum.