Javascript沙盒？ [英] Javascript Sandbox?

问题描述

是否可以通过覆盖各种功能来沙箱用户提交的Javascript，例如 alert ， window.location ， eval ？

Would it be possible to sandbox user-submitted Javascript by overriding various functions such as alert, window.location, and eval?

我不是在寻找一个完美的解决方案。我敢肯定有些人仍然会找到一种方法来重新排列div来拼出咒骂或恶意的东西，但如果我可以100％可靠地禁用页面重定向，我会非常高兴。

I'm not looking for a perfect solution. I'm sure some people would still find a way to rearrange divs to spell out swear words or something malicious, but if I could disable page redirects 100% reliably I would be mostly happy.

我在Chrome中试过，做过像

I tried in Chrome, and doing something like

context={}; //use this to prevent `this` from being `window`
context.f=function(){
  var window=null,location=null,eval=function(){};
  console.log(window); //also the other two
};
context.f();

看起来很有希望。如果我用用户提交的代码替换控制台行（检查平衡），这是一个荒谬的坏主意还是一个有点不好的主意？在Chrome上，我仍然可以通过这个来解决问题并重新定义，但这对我来说是可以接受的。

seems promising. If I replace the console line with user-submitted code (checking for paren balancing), would that be an absurdly bad idea or a mildly bad idea? On Chrome I can still break things by going through this to Function and redefining things, but that would be acceptable to me.

推荐答案

您可以使用 Microsoft Web Sandbox 或 Google Caja 。

这篇关于Javascript沙盒？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！