What's New: The Latest Release Notes RRS feed

  • General discussion

  • This thread will track significant changes to the Sandbox.

    November 5th:
    This was a pretty big update:
    1. We added a few significant performance optimizations.  Array manipulations, User-defined objects and classes, and function invocation are now significantly faster.
    2. We fixed a number of security issues.  We had a bug in the prototype chain handling code that could cause native methods to accidentally leak.  We also missed one scenario which allows you to perform arbitrary code execution:


      There are quite a few variants of the above code:


      All of these should no longer be possible.

    October 24th:
    Fixed Siliverlight issues and loading the blockbash.html game 

    • Edited by Scott Isaacs Friday, November 7, 2008 12:51 AM Update change list
    Monday, November 3, 2008 9:07 PM

All replies

  • Changes for November 13th:

    1) We now silently ignore any invalid or unsupported CSS property values specified via a stylesheet. In debug mode, any bad values will throw an exception.

    2) Fixed a bug with deleting the first item in an array (e.g., delete arrayInstance[0])

    3) Added support for dynamically loading scripts. For example:
    var elScript = document.createElement("script")

    4) Fixed a bug with empty string delimiters for the Array join method. e.g., Array.join("").

    5) Fixed support for the HTML select element and added support for the OPTGROUP element.

    6) Fixed getElementById for non-existent elements (no longer throw an error)

    7) Added initial support for HTML DOM prototypes for all supported HTML elements.  E.g.,
    HTMLElement.prototype.customMethod = function()
        alert("Add new method");return null;

    HTMLDivElement.prototype.extendDiv = function() {
        alert("New Div method");return null

    Known Issues:
    Support for getters/setters is coming soon.
    Any custom methods currently must return a value other than undefined (e.g., return null is acceptable).

    8) Support for changing the type of an input element.

    Known Issue:
    Once you change the type of the element, you must reset any references you may have to the element. For example:

    var elInput = document.getElementById("someinput");
    elInput.type = "button"
    // If you change the type, you must do the following before acting on elInput again
    elInput = document.getElementById("someinput");
    // now you have a good reference

    The sandbox will throw an error if you violate this pattern.

    9) Closed a security hole with dereferencing a constructor chain:

    (function(){x=(arguments.callee.constructor.constructor('alert("Bad Stuff")'));x()})();

    10) Added support for toDateString and toTimeString to date instances.

    Known Issue:
    Currently only supported on browsers that support these methods.

     11) The onload event now simulates the normal timing of the browser and does not fire until all images on the page are also loaded. 

    Known Issue:
    If images are disabled in IE, the onload event does not fire.

    • Edited by Scott Isaacs Friday, November 14, 2008 3:44 AM Updated List
    Friday, November 14, 2008 3:40 AM
  • Changes for December 10th:


    1) Fixed a number of bugs around the cssText property.

    2) Added support for dynamically changing the type of INPUT elements.

    3) Improved support for HTML prototypes (e.g., added TABLESectionElement, etc.)

    4) Improved support for document.write. You should be able to use document.write for injecting well-formed HTML into the page. Your document.write still cannot inject event handlers or scripts. 

    5) Added fixes in event handler's removeEventListener.

    6) Enabled IE's currentStyle and runtimeStyle properties (for IE only)

    7) Fixed a memory leak that could lock-up IE6 if an ID-based CSS rule was specified.  This memory leak is prevented regardless of the rule specified by the untrusted code.

    8) Added support for indexed access to strings. IE does not support "abc"[0]  to return the first character.  We enabled this pattern to work in all browsers.  This issue enables the GUID library to run in Internet Explorer unmodified (without the sandbox, the code failed in IE).

    9) Added the option to use the Azure-hosted transformation pipeline in the interactive pages.

    Happy holidays!


    Dragos Manolescu, Live Labs Program Manager
    Thursday, December 18, 2008 6:42 PM