9

Given this JavaScript code (which is just a comment referring to a url):

// see http://enterprisejquery.com/2010/10/how-good-c-habits-can-encourage-bad-javascript-habits-part-1/

JSLint with "Safe Subset" turned on will say 

Dangerous comment.
// http://enterprisejquery.com/2010/10/how-good-c-habits-can-encourage-bad-javascript-habits-part-1/

How can a comment be dangerous? Comments, by definition, aren't parsed! Or are they?

Edit: Using a different url isn't necessarily dangerous. For example this:

// http://enterprisejquery.com

doesn't trigger the flag. How can one URL in a comment be 'dangerous', but another isn't?

paleozogt
  • 6,393
  • 11
  • 51
  • 94

2 Answers2

3

"Dangerous" comments match the regular expression:

/@cc|<\/?|script|\]\s*\]|<\s*!|&lt/i

In this case, your comment is "dangerous" because it contains the string "script".

I think this is probably a false positive.

Samuel Edwin Ward
  • 6,526
  • 3
  • 34
  • 62
  • You're right-- this is [script block paranoia](http://stackoverflow.com/questions/1474185/what-does-this-mean-document-writescript). Wow, I wish jslint would just say that. – paleozogt Jun 14 '12 at 17:38
  • btw, just doing `// script` triggers it. Or in the question example, replacing 'javascript' with 'foo' makes the error go away. – paleozogt Jun 14 '12 at 17:39
2

You can execute comments manually using eval:

http://googlecode.blogspot.com/2009/09/gmail-for-mobile-html5-series-reducing.html

To combine all modules into a single resource, we wrote each module into a separate script tag and hid the code inside a comment block (/* */). When the resource first loads, none of the code is parsed since it is commented out. To load a module, find the DOM element for the corresponding script tag, strip out the comment block, and eval() the code.

Also, someone might accidently uncomment the dangerous code and create a vulnerability.

By default, no, JavaScript comments are not parsed. But there are not a nice thing to have lying around.

stan
  • 4,885
  • 5
  • 49
  • 72
  • JSLint doesn't think that all URLs-in-comments are dangerous, tho. I've edited my question to show this. Why are some URLs dangerous but others aren't? – paleozogt Jun 14 '12 at 17:21
  • Also, since the comment _isn't actually javascript_, how can it be dangerous? Wouldn't the eval just fail? – paleozogt Jun 14 '12 at 17:29
  • Good question. I guess Samuel answered that question. But his answer just raises another question of why that regex is actually considered dangerous. – stan Jun 14 '12 at 17:49
  • It's worried about triggering an [end-script block](http://stackoverflow.com/questions/1474185/what-does-this-mean-document-writescript). But I think the regex is capturing too much, as it even matches against 'script', which is obviously not dangerous. – paleozogt Jun 15 '12 at 15:35