jsFiddle如何允许和执行用户定义的JavaScript而不危险？ [英] How does jsFiddle allow and execute user-defined JavaScript without being dangerous?

问题描述

我一直在使用一个JS库，并希望在Github上设置一个演示页面，例如，允许用户定义自己的回调和执行命令。

I've been working on a JS library and would like to setup a demo page on Github that allows, for example, users to define their own callbacks and execute commands.

我知道 eval（）是邪恶的，我可以看到如何blind eval （）的脚本可能会导致XSS和其他安全问题。我想尝试一些替代方案。

I know "eval() is evil" and I can see how blind eval() of scripts could lead to XSS and other security issues. I'm trying to cook up some alternative schemes.

我真的很喜欢jsFiddle的互动。我看看他们的来源，但希望有人可以在这里展示如何jsfiddle允许和执行用户定义的JavaScript，而不危险。只要不涉及第三方回显服务器，我希望我可以效仿的方法。

I really enjoy the interactivity of jsFiddle. I've taken a look at their source but was hoping someone could lay out here how jsFiddle allows and executes user-defined JavaScript without being dangerous. So long as it doesn't involve a 3rd party echo server, I'm hoping I can emulate the approach.

推荐答案

jsFiddle在单独的域 http://fiddle.jshell.net （）上执行用户脚本尝试它并查看）。

因此，它不能与父框架交互，它不能窃取cookie。

jsFiddle executes user scripts on a separate domain, http://fiddle.jshell.net (try it and see).
Therefore, it can't interact with the parent frame and it can't steal cookies.

你可以在没有单独的服务器的情况下通过将一个静态页面放在一个单独的域中读取JavaScript中的查询字符串。

你可以使用页面标题进行通信（敌人也可以）。

You can actually do this without a separate server by placing a static page in a separate domain that reads from its querystring in Javascript.
You can communicate back using the page title (and so can the enemy).

这篇关于jsFiddle如何允许和执行用户定义的JavaScript而不危险？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！