Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Several years back I was on a job where the boss wanted to allow virtually any user-provided HTML/CSS/JS in a content area, while preventing redirects.

No implementation ever happened of course, but my first thought was, what would happen if we did a "<script>delete(window.location);</script>" near the top of the template?

Answer: nothing. But what would the implications be if browsers allowed it?



Some browsers allow __defineGetter__ and __defineSetter__ to replace native properties such as window.location


Interesting. I did a few tests and it seems Chrome will let me override window.location with __defineSetter__() but not document.location, while Safari was the other way around. Firefox 3.x won't let me redefine either one ("TypeError: redeclaration of var location").




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: