Comments on: Facebook JavaScript and Security

By: Ectara

Ectara — Wed, 02 Dec 2009 06:56:23 +0000

I’m 12 years old, and what is this?

By: KirstenLeanneFaux

KirstenLeanneFaux — Wed, 23 Apr 2008 11:55:55 +0000

I cannot use facebook properly, it keeps telling me to upgrade the javascript, how do i do this ?

By: zaheer

zaheer — Thu, 09 Aug 2007 12:21:32 +0000

I need some help. Can anyone tell me how can i use javascript with face book. i cannot even use alert(). Please explain as well.

By: atshya

atshya — Thu, 09 Aug 2007 07:26:14 +0000

Where can I get the demo?

By: Andrea Giammarchi

Andrea Giammarchi — Wed, 08 Aug 2007 22:29:31 +0000

uhm … above behaviour is correct only in a sandbox (but it works with FireFox, everytime)

By: Andrea Giammarchi

Andrea Giammarchi — Wed, 08 Aug 2007 22:20:59 +0000

just posted in my blog ... delete Function;(this.Function||parent.Function)("alert('safe?')")();

By: Scott Schiller

Scott Schiller — Wed, 08 Aug 2007 17:18:52 +0000

I imagine FB are going to have to step very, very carefully to prevent XSS-style holes in this service. Fortunately they have Joe Hewitt on their side. ;)

By: Neil Mix

Neil Mix — Wed, 08 Aug 2007 16:33:12 +0000

Matjaz: Take a moment to read up on what FBJS is and how it works, the need for acrobatics will become clearer then. FBJS rewrites the code so that all global accesses are prefix by an identifier unique to your application. Any reference to the global “Function” get rewritten to something like “asdf_Function”. So it’s not as simple as what you propose, hence the “long way” (which has since been fixed by Facebook).

By: MatjaÅ¾

MatjaÅ¾ — Wed, 08 Aug 2007 15:51:47 +0000

what about:
=============
var exploit = new Function(“alert(‘arbitrary code’)”);
exploit ();
=============
that’s what Neil did, but in a long way. :/

By: Adrian

Adrian — Wed, 08 Aug 2007 12:18:28 +0000

That means the black hat hackers where afraid of CIA if they didn’t tryed anything fishy on FB?