@Wolf480pl@niu.moe
Probably.
(never tried, actually)
But it cannot (by itself) let website owners tunnel into your networks as #JavaScript does.
At least, as far as I know.
____
NOTE: I agree that Turing completeness is wrong for a presentation language.
#XSLT is more general, though.
@Shamar @Wolf480pl @tuxcrafting @izaya that's not js that's the browser apis (I presume, I don't know specifically what attack you're referring to)
Js itself has no ability to "tunnel into your networks".
Give Lua the same apis and you're back to square one.
#JavaScript let any website you visit to tunnel into your network.
You can read more about this here:
https://rain-1.github.io/in-browser-localhostdiscovery
and here:
https://dev.to/shamar/the-meltdown-of-the-web-4p1m
The #Russian Government is still exploiting this technique, months (years?) after #Mozilla and #Chrome have been informed:
https://bugzilla.mozilla.org/show_bug.cgi?id=1487081#c16
(and it's just ONE of the possible exploits of this wide class of #security vulnerability)
But yes, without the design changes I described back then, #lua would not be better that #JS, if used in the same way.
That's why #WebAssembly is such a terrible idea.
Because I was able to understand what the Russian government was doing by reformatting and reading the code. Try to do the same with a binary optimized by #GCC.
