Skip to content Skip to sidebar Skip to footer

Use Eval Without Threat Of XSS

I was making(not now, but still I'm curious about this one) a game using HTML5 and JS, and one I wanted was that people can insert custom script, but secure. function executeCustom

Solution 1:

I recommend you expose a limited scripting language over JSON. So document a scripting engine that requires you to create a JSON object as your code.

This has the large advantage that it's impossible to inject bad code into JSON because it's just data.

So you can create some kind of declarative syntax for your scripting code. For example

{
    "0": {
        "Action": "move",
        "X": 10,
        "Y": -5
    },
    "1": {
        "Action": "emote",
        "type": "dance"
    }
}

Now what is a good design for a tiny declarative scripting language is a completely different question.


Solution 2:

Expose anything the user may wish to do as combinators, e.g. a sublanguage.


Solution 3:

https://developers.google.com/caja/

The Caja Compiler is a tool for making third party HTML, CSS and JavaScript safe to embed in your website. It enables rich interaction between the embedding page and the embedded applications. Caja uses an object-capability security model to allow for a wide range of flexible security policies, so that your website can effectively control what embedded third party code can do with user data.


Post a Comment for "Use Eval Without Threat Of XSS"