有没有办法在Javascript中监禁,以便DOM不可见 [英] Is there a way to jail in Javascript, so that the DOM isn't visible
问题描述
我真的希望为用户提供一些脚本功能,而不是让它访问更强大的功能,比如改变DOM。也就是说,所有输入/输出都通过给定的接口进行隧道传输。像一种限制的javacsript。
I would really like to provide the user some scripting capabilities, while not giving it access to the more powerful features, like altering the DOM. That is, all input/output is tunneled thru a given interface. Like a kind of restricted javacsript.
示例:
如果接口是 checkanswer(func)
这是允许的:
Example:
If the interface is checkanswer(func)
this are allowed:
checkanswer( function (x,y)={
return x+y;
}
但不允许这些:
alert(1)
document.write(hello world)
eval(alert())
but these are not allowed:
alert(1)
document.write("hello world")
eval("alert()")
编辑:我想到的是使用javascript实现的一种简单的语言,像 http:// stevehanov .ca / blog / index.php?id = 92
what I had in mind was a simple language that was implemented using javascript, something like http://stevehanov.ca/blog/index.php?id=92
推荐答案
(修改这个答案与您的预编辑问题有关,不知道使用Javascript实现的任何脚本语言,虽然我期望有一些,例如某些人有人为JavaScript写了BASIC(曾经有一个链接,但是它被破坏了)剩下的因此,这个答案是很有学术意义的,但我只是为了讨论,插图,甚至是警戒目的而留下来。此外,我绝对同意 bobince的分数 —不要自己这样做,使用他人的工作,例如 Caja 。)
(Edit This answer relates to your pre-edit question. Don't know of any script languages implemented using Javascript, although I expect there are some. For instance, at one point someone wrote BASIC for Javascript (used to have a link, but it rotted). The remainder of this answer is therefore pretty academic, but I've left it just for discussion, illustration, and even cautionary purposes. Also, I definitely agree with bobince's points — don't do this yourself, use the work of others, such as Caja.)
如果您允许在用户生成的内容中进行任何脚本编写,您将准备好进行这样一个事实:您将进入有关在您的保护机制中找到漏洞的人员的军备竞赛利用他们,你回应这些漏洞。我想我可能会避开它,但你知道你的社区和你处理虐待的选择。所以,如果你准备好了:
If you allow any scripting in user-generated content, be ready for the fact you'll be entering an arms race of people finding holes in your protection mechanisms and exploiting them, and you responding to those exploits. I think I'd probably shy away from it, but you know your community and your options for dealing with abuse. So if you're prepared for that:
由于Javascript做了符号解析的方式,似乎应该可以在上下文中评估一个脚本, code>窗口,文档
, ActiveXObject
, XMLHttpRequest
和类似的没有通常的含义:
Because of the way that Javascript does symbol resolution, it seems like it should be possible to evaluate a script in a context where window
, document
, ActiveXObject
, XMLHttpRequest
, and similar don't have their usual meanings:
// Define the scoper
var Scoper = (function() {
var rv = {};
rv.scope = function(codeString) {
var window,
document,
ActiveXObject,
XMLHttpRequest,
alert,
setTimeout,
setInterval,
clearTimeout,
clearInterval,
Function,
arguments;
// etc., etc., etc.
// Just declaring `arguments` doesn't work (which makes
// sense, actually), but overwriting it does
arguments = undefined;
// Execute the code; still probably pretty unsafe!
eval(codeString);
};
return rv;;
})();
// Usage:
Scoper.scope(codeString);
(现在使用邪恶的 eval
但我不能立即想到一种方法来影响默认对象跨浏览器,而不使用 eval
,如果您正在以文本形式收到代码...)
(Now that uses the evil eval
, but I can't immediately think of a way to shadow the default objects cross-browser without using eval
, and if you're receiving the code as text anyway...)
但是不起作用,这只是一个部分解决方案(更多在下面)。逻辑是在 codeString
代码中访问窗口
(例如)中的任何尝试将访问本地变量窗口
,而不是全局;和其他人一样。不幸的是,由于符号的解决方式,可以使用窗口访问
前缀(例如,窗口
的任何属性。 alert
),所以你也必须列出。这可能是一个长列表,尤其是因为 bobince 指出,IE会将任何具有名称或ID的DOM元素转储到窗口
。所以你可能必须将所有这些都放在自己的iframe中,这样你就可以在这个问题之间做一个最终的运行,而只有必须处理标准的东西。另外请注意,我如何将范围
函数作为一个对象的属性,然后您只能通过属性调用它。那就是这样这个
被设置为 Scoper
实例(否则,在一个原始函数调用,$ code > 默认为窗口
!)。
But it doesn't work, it's only a partial solution (more below). The logic there is that any attempt within the code in codeString
to access window
(for instance) will access the local variable window
, not the global; and the same for the others. Unfortunately, because of the way symbols are resolved, any property of window
can be accessed with or without the window.
prefix (alert
, for instance), so you have to list those too. This could be a long list, not least because as bobince points out, IE dumps any DOM element with a name or an ID onto window
. So you'd probably have to put all of this in its own iframe so you can do an end-run around that problem and "only" have to deal with the standard stuff. Also note how I made the scope
function a property of an object, and then you only call it through the property. That's so that this
is set to the Scoper
instance (otherwise, on a raw function call, this
defaults to window
!).
但是,正如bobince指出的,有很多不同的方式来处理事情。例如, codeString
中的代码成功打破了上述的监狱:
But, as bobince points out, there are just so many different ways to get at things. For instance, this code in codeString
successfully breaks the jail above:
(new ('hello'.constructor.constructor)('alert("hello from global");'))()
现在,可能可以更新监狱,使这个特定的漏洞利用不起作用(所有的$ code>构造函数属性) ;— 所有 —的内置对象),但我倾向于怀疑。如果你可以,有人(比如鲍勃)会提出一个新的漏洞,就像这样:
Now, maybe you could update the jail to make that specific exploit not work (mucking about with the constructor
properties on all — all — of the built-in objects), but I tend to doubt it. And if you could, someone (like Bob) would just come up with a new exploit, like this one:
(function(){return this;})().alert("hello again from global!");
因此,军备竞赛。
唯一真正彻底的方法是在你的网站中建立一个适当的Javascript解析器,解析他们的代码并检查非法访问,然后才让代码运行。这是很多工作,但如果你的用例证明它...
The only really thorough way to do this would be to have a proper Javascript parser built into your site, parse their code and check for illegal accesses, and only then let the code run. It's a lot of work, but if your use-case justifies it...
这篇关于有没有办法在Javascript中监禁,以便DOM不可见的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!