I'm curious whether the multiple warnings about running untrusted code in the browser are necessary. I feel like all websites are already untrusted code, and the browser is quite well sandboxed and protected from anything too bad happening. What is the worst case scenario here for the user within the JS ecosystem, under known avenues of attack, not counting an unknown zero day browser exploit?
- Your tab freezes due to an infinite loop for a while until your browser notices and asks you if you want to kill the script.
- The script downloads illegal content, and your ISP notifies authorities.
- CSRF attack against a site you're signed into that's not properly secured.
All of these things are things any site you go to can do. There's nothing special about `eval` that makes this site more dangerous.
Most people have no clue what they're running and can't possibly take the time to know enough to really have a clue.
Of course, if you’re running 3rd party ad scripts on your actual page, you’re at their mercy.
Stack overflow is heavily moderated. I think it'd be a challenge to put something malicious on there which lived for more than an hour or so.
Compare that to your run of the mill PHP shared hosting. I know which side I'd rather take my chances with.
And you've only been here for a few weeks so I'll give you the benefit of the doubt, but calling something "unintentionally...hilarious" is usually taken as just another way of calling someone an idiot. I'd suggest you try to find ways to make your point without deriding those who don't share your view, especially on something so inconsequential.
I do; a random SO answer will be miles better than anything coming out of an average organisation.
To write an SO answer, you need to actually care about answering SO questions. To write code in an average company, you need to... have a pulse, it seems.
However, it's kind of unlikely there is much you can do with it. Sometimes a site will share cookies with subdomains, but this is not likely for github because you are allowed to publish arbitrary js there, so that would be a huge security hole.
The risk of eval() is giving control of the site data of foo.github.io to the author of a stackoverflow comment.
The warning is part of the fun, though.
(Psst, if you're an engineer and like dev tools, I'm hiring! https://readme.io/careers)
Is it safe?
Uh… it evals both user input and random code, unchecked, from an external site. This is what the security-minded folks writing anti virus software would refer to as: hey, our unpacker does that too! In kernel mode if we're from symantec! Must be perfectly safe!
Yeah, cheap shot, I know ;-)
My favorite part about this algorithm is that you can speed it up by a factor of k - for any k! - by simply dividing the time you sleep by by k.
The runtime of this algorithm is O(n.2^k).
Correction, the page finally found this algorithm that sorts my array. So I am disappointed with the verifier function on this web page and may need to submit a PR
1 - http://stackoverflow.com/questions/3730510/#3730579
for (let x of xs)
It's true to the xkcd mission, which is just to find SO answers until it returns something, not to actually confirm it was sorted correctly.
The first answer that apparently works has a comment stating that it fails with more than 2 duplicates; indeed I tried a list with three 3s and the resulting passing answer only had one of those threes.
I cringe at the code now, but still think the idea is neat.
Of course, the first thing that I did was to try it in a safe environment. It worked!!! :)
- GenghisKhanSort: delete all elements except for the first, repopulate the list with successors of the first element
- HitlerSort: Choose an element in the list you think is the best, then loop through the list removing any element that does not match.
- ThanosSort: delete half the array. The arrays may or not be sorted, but it'll help for future sorting
- TrumpSort O(0): the array is always sorted. Anyone who says otherwise is fake news.