Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

This needs to override JavaScript commands to keep it from malicious use. For example, to override alert() do this:

  (function()
  {
    var proxied = window.alert;
    window.alert = function()
    {
      // replacement code here
      // call original function:
      proxied.apply(this, arguments);
    };
  })();


You don't do security by picking specific cases and guarding against them.

Either do it properly or not at all.


When I redefined alert to return false, it crashed Chrome pretty bad (note: I am not the owner).

If someone really feels like policing it, they can delete the iframe element (in FF, chrome, or opera) and just have access to the editor panes (which means no alerts, redirects, or other nastiness). I'm sure someone can figure out how to write a javascript snippet that will post some text that has been cleaned of all instances of "window.location", "alert", and probably "while". (I would do it myself, but it's 1am here).


I put in return false; and it did nothing (using Chrome v22.0.1229.56 beta-m). You wouldn't want to return false anyways, alert is not defined as returning a value (see: https://developer.mozilla.org/en-US/docs/DOM/window.alert)

If you want to see what arguments are being passed, add a console.dir(arguments); to the code.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: