Web pages can have insecure JavaScript even if the sandbox isn't escaped. Sandbox escape isn't the only possible vulnerability in sandboxed applications. This is basic stuff that I know you already agree with so I don't understand why you keep pressing it.

"Why would you blame WASM" is the right question. As I have said in LITERALLY every single comment so far, blaming WASM instead of the alleged hype people is where pjmlp is wrong. He's not wrong in the assertion that insecure programs may remain insecure when run in the WASM sandbox. But you refuse to listen. This conversation is like talking to a much less polite ChatGPT.

You're arguing against claims no one is making. No one thinks webasm magically fixes bugs. I never said that and no one else did either.

Fucking hell, please pay attention to the discussion you're in. pjmlp's claim is: marketing around WASM suggests that running C programs in WASM instead of natively magically makes those C programs safe.

I doubt anyone is suggesting "magic" and obviously when people talk about 'safety' they mean preventing crashes and escaping the VM.

What specific marketing are you talking about? Link what you're referring to.

Read. My. Comments. I am not claiming that WASM has been misleadingly marketed. pjmlp is. Ask him to link to what he's referring to.

After all this, now you're going to say you don't actually have any of these criticisms and you were just repeating someone else's claims?

Ask him to link to what he's referring to.

He posts this stuff in half the webasm threads I see. Like you he never has anything to back it up and you both get very upset at people asking.

YES! I DISAGREE WITH PJMLK! ALL MY RESPONSES TO PJMLK HAVE BEEN ME DISAGREEING WITH HIM! ALL MY RESPONSES TO YOU HAVE BEEN ABOUT HOW YOU CAN ARGUE AGAINST HIM BETTER BY UNDERSTAND WHICH WRONG CLAIMS HE ACTUALLY MADE, SO THAT YOU'RE NOT ARGUING AGAINST STRAW MEN! PAY ATTENTION!

This is my last response in this thread. You've displayed a profound inability to think. I can't be part of this anymore.

Maybe you should reply to him then instead of getting so upset.

I already did reply to him, see https://news.ycombinator.com/item?id=38613663.

I don't really understand your expectations here. You seem to disagree with someone else and they won't reply to you to give you evidence of their claims. What do you hope to accomplish by replying to me?

I replied to pjmlp because I thought (and still think) he was wrong in his characterization that WASM is a failure because it doesn't magically make insecure C programs secure.

I replied to you because I thought (and still think) you were wrong and/or misunderstanding what pjmlp was saying.

I can disagree with two people at the same time. I don't see the issue.

A reference was already provided. Here's a direct link to the demo of a cross-site scripting attack via webassembly:

https://www.youtube.com/watch?v=glL__xjviro&t=450s

That looks like you have to load up a local file with an exploit, use a png library not being used by major software that also doesn't check for issues with the png file (because they already need to deal with malicious files) and the end result is that it will run javascript if javascript is able to be run from webasm in that context.

It is still worth looking at and is actual information, so I appreciate that.

Don't focus on the specific exploit, it's a general issue:

In order to be useful, your wasm application will likely have to be able to make systems calls, or whatever its equivalent might be on your particular host environment. If you can corrupt internal state, you can control the arguments to these calls. The severity of the issue will depend on what your application is allowed to do: If all it has access to is a some virtual file system, the host will still be safe. But if that virtual file system contains sensitive data, results may nevertheless be catastrophic if, say, it can also request resources over http.