The situation is this: I have JavaScript that creates an interactive dialogue (and displays it as a comic strip through the creation of dynamic elements ... it's fun). The page allows the user to customize parameters by changing the dialog created by the script. As a theoretical example, one of the checkboxes might be “Use cussing”, and the script will add the words cuss to the returned string if this field is checked. OK, simple enough. Fun
Currently, he uses only one template (“comic book” has a very specific and focused goal) to create a dialogue; This template is hard-coded in JavaScript. I would like the user to be able to create his own template, which then turns into a script that runs just like the hard-coded version, and can also be controlled by checkbox options. Edit: To clarify, the user is not writing the script directly. They write a presentation (for which I am now considering using JSON), and when someone opens a page with a template, the page will THEN turn it into a script and execute it.
This creates some problems. The most obvious attack is the attacker. Edit: Until the user writes the script on their own, as all client sides can easily see my script parsing and may be able to figure out how to insert something. In fact, this did not bother too much. Complete editing. I am sure that there are some standard ways to deal with this, and since there is currently no server-side interaction - everything is on the client side - my main problem is that such a user cannot damage the experience of another user by sharing his bad version. Right now, I'm just deleting the line from the beginning, globally replacing all the characters that are not in the set:
str.replace(/[^a-zA-Z...]/g,'') .
Another problem is how to maintain your template on the page so that others can enjoy. As I said, there is no server-side interaction, and I would like to keep it that way. I do not want to create MySQL tables and store their templates. Unfortunately, this means that the only viable method I can think of is having their template in the URL query string. It's disgusting. And this imposes restrictions on the length of the character - only 2000 to be compatible with old IE, if I read correctly. (I also thought about generating the text of the HTML file that they could copy n paste, save as such, place it somewhere and send the address to my page to a URL that then loads into iFrame ...... Ha Yes , but not like user convenience - it includes both saving and the type of file that they probably never saved, as well as figuring out how to place the file, and creates even more serious security problems. )
The third problem is that after the page received the template from them, made it safe and turned it into a script, how should I execute this script? I heard that from the very beginning I started Javascript that eval is evil, so I avoided using it. Obviously, doing new Function(txt) just as vicious (although I did it many times before). I am ready to accept these claims of evil ..... But what alternatives are there? I searched google for this, and closest to my situation I could find https://stackoverflow.com/a/166658/ . The accepted answer suggests dynamically creating a script tag using textContent set to a script string. Would this also be the best solution for me?
Summary
I need to access custom text (preferably without storing it on the server side), parse it in Javascript, avoiding attacks, and then execute it using some alternative to eval() .
- Saves your template as a query string in the url, which can then be shared, the only way to get the template on the page?
- What are the security holes I should be aware of and what are the standard ways to protect against malicious users?
- What alternatives to eval exist for executing code that is not hardcoded in a script remotely deleted?