Javascript沙盒? [英] Javascript Sandbox?
问题描述
是否可以通过覆盖各种功能来沙箱用户提交的Javascript,例如 alert
, window.location
, eval
?
Would it be possible to sandbox user-submitted Javascript by overriding various functions such as alert
, window.location
, and eval
?
我不是在寻找一个完美的解决方案。我敢肯定有些人仍然会找到一种方法来重新排列div来拼出咒骂或恶意的东西,但如果我可以100%可靠地禁用页面重定向,我会非常高兴。
I'm not looking for a perfect solution. I'm sure some people would still find a way to rearrange divs to spell out swear words or something malicious, but if I could disable page redirects 100% reliably I would be mostly happy.
我在Chrome中试过,做过像
I tried in Chrome, and doing something like
context={}; //use this to prevent `this` from being `window`
context.f=function(){
var window=null,location=null,eval=function(){};
console.log(window); //also the other two
};
context.f();
看起来很有希望。如果我用用户提交的代码替换控制台
行(检查平衡),这是一个荒谬的坏主意还是一个有点不好的主意?在Chrome上,我仍然可以通过这个
来解决问题并重新定义,但这对我来说是可以接受的。
seems promising. If I replace the console
line with user-submitted code (checking for paren balancing), would that be an absurdly bad idea or a mildly bad idea? On Chrome I can still break things by going through this
to Function and redefining things, but that would be acceptable to me.
推荐答案
您可以使用 Microsoft Web Sandbox 或 Google Caja 。
这篇关于Javascript沙盒?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!