Custom JS scripting in a web app?

R

russlobachev2013-08-19 13:50:01

JavaScript

russlobachev, 2013-08-19 13:50:01

Target. I give the user the opportunity to customize the output of data in the interface. But not through the settings screen, but by writing a script. To do this, I provide him with a part of my DOM that is responsible for the output. For example, I pass it as a root app object to the scripting engine, and through this app as a global variable, the user scripts the output.
In theory, this can be done through eval. But how to close the user access to external objects (window, alert, etc.) and allow them to work only within my DOM?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

K

Konstantin Kitmanov, 2013-08-19
@k12th

Caja did not look?

I

Ilya Sevostyanov, 2013-08-19
@RUVATA

If through eval, by means of JavaScript in any way.

S

spmbt, 2013-08-19
@spmbt

No way. The user can inject a script (Script src tag) that will access window in Chrome, where they specifically tried to complicate the access of content scripts, and in other browsers getting window was never a problem. (Actually, you didn’t specify WHO will write the script. But, probably, it is meant that the user.)
If you are thinking of receiving data and executing them as a script via eval (), then, except that this is a bad idea , such a script needs to be run in a different domain in the frame, then you have a chance not to get hacked users and the system.