tag:blogger.com,1999:blog-8524994683452597169.post8838165973908873823..comments2024-02-22T09:00:38.887+00:00Comments on a.in.the.k: "Interesting project" - owasp-esapi-jsa.in.the.k (@ainthek)http://www.blogger.com/profile/09679088403085703700noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-8524994683452597169.post-78555482221682945832010-08-03T09:43:18.171+01:002010-08-03T09:43:18.171+01:00"closures provides the illusion of security&q..."closures provides the illusion of security": nice sentence, but properly using closures, aliasing functions and using other techniques minimizes the possible "attack or demage-by-mistake surface" as well as helps to write "unobtrusive" code not interfering with others (at least). <br /><br />Could you explain what you mean by "sandboxing" and "footprint" and how sandboxing can influence footprint ?<br /><br />I believe you are employed as SW Engineer but sorry no offence it still makes no guarantee of <br />"professional Java Script knowledge". Those two are unrelated topics, <br />I'm professional JavaScript and Java coder and <br />I have far from professional JS knowledge.<br />there are other geeks on web, I try to learn from.<br /><br />I will send you by email very brief suggestions, that could make the first step to improve things.<br /><br />I also hope we can attract more JS people, with this small chat, and in several years I will be able to download and use owasp labeled code and benefit from it.a.in.the.k (@ainthek)https://www.blogger.com/profile/09679088403085703700noreply@blogger.comtag:blogger.com,1999:blog-8524994683452597169.post-59442030304782815872010-08-03T01:46:28.729+01:002010-08-03T01:46:28.729+01:00First, thanks for taking a look at the project. Th...First, thanks for taking a look at the project. The more eyes we have on it the better it will be when it is finished! <br /><br />I am the project owner of the ESAPI4JS project, and as such wanted to make sure that the air is clear and that the status of the project was not misunderstood. <br /><br />This project is *far* from release quality at this point - the code that is checked in now, is merely a working prototype of the library. I originally would have thought this as a given with the version of 0.1.3 but perhaps I was wrong in that assumption, so I apologize for any misconception that this code was ready to be used in a production application. <br /><br />Second, while wrapping functions in closures provides the illusion of security in Javascript by limiting the scope of the executing code, I would also like to point out that at this point, it really doesn't matter what scope the code lives in, it is inherently insecure as in javascript everything ultimately has to bubble up to the global scope at some point to be accessible to the rest of the code. Originally, the concept was to expose on the ESAPI locator in the global scope and privatize the rest of the code with references only available to private members of the locator itself. However, even at that point any implication of security is still nothing more than an illusion due to the fact that as soon as something is exposed in the global scope, anything else can modify it or it's references. <br /><br />That being said, I have toyed around with the idea of sandboxing, however I think that it is also important that the footprint of ESAPI be as small as possible to accomplish it's goals. <br /><br />I have been engaged with the ECMA 5 community and with the firefox team in the implementation of the Object.lock/unlock prototypes, as I feel that this is an imperative step in truly creating a useful javascript security API. <br /><br />All that being said - I would love the opportunity to chat with you about ideas you may have to make the library better or more useful - and if you have cycles to spare, it sounds like you definately have a lot to contribute to the project as a whole. <br /><br />Also - for the record I am a professional Software Engineer - I write primarily in Java and do quite a bit of JavaScript, HTML, and CSS. It is not a lack of knowledge that you see, moreso a desire to get a prototype out quickly to demonstrate the potential usefulness of such a library. <br /><br />Feel free to contact me personally at chrisisbeef (at) gmail (dot) com - or join the ESAPI-Developers and ESAPI-Users mailing lists. Without criticism, progress can't be made - and there are definately a lot of us looking to make ESAPI better for every language.Chris Schmidthttps://www.blogger.com/profile/00176557422611541107noreply@blogger.com