Location: A review of cardiac cellular electrophysiology models @ c47db6b2fedb / dojo-presentation / js / dojo / dojox / secure / tests / load.html
- Author:
- David Nickerson <david.nickerson@gmail.com>
- Date:
- 2021-09-17 15:39:51+12:00
- Desc:
- tweak html formatting
- Permanent Source URI:
- https://models.fieldml.org/workspace/a1/rawfile/c47db6b2fedb368422c7f4d5191aeb9f319ad684/dojo-presentation/js/dojo/dojox/secure/tests/load.html
dojox.secure.sandbox Tester
This a test page for dojox.secure.sandbox. dojox.secure.sandbox is intended to safely execute untrusted scripts, and allow the scripts to access only a certain sub-tree of the DOM. Eventually, this can be used to safely load ads and untrusted widgets. All attempts to subvert the security of this system are greatly appreciated. If you find any holes, any ways that you can access the DOM or the JavaScript environment outside of the sandbox, please add a comment to the enhancement ticket. To test secure load, simply enter JavaScript in the text box below and click execute. The JavaScript should only have access to the DOM within the floating div below. The sandbox element is available as the element variable from within the sandboxed JavaScript. Please see below for more detailed instructions on what facilities are available within the sandbox.
Hi there, element is the sandboxed element, which you can access and manipulate
"; document.write("You can use document.write for your sandbox area. However, the following limitations apply:
"); query("em").style("color","blue"); // you can use query to find and modify //query(".intro").style("opacity",0).fadeIn().play(); style(byId("more"),"color","red"); var limitations = ["No access to |this| keyword", "The [] index operator is not allowed", "Global variables are not allowed except element and document", "You can not access most of the relationship properties on elements (parentNode, firstSibling, nextSibling, etc.)"]; // you can also use other standard DOM features as well var ul = document.createElement("ul"); element.appendChild(ul); forEach(limitations,function(limitation) { var li = document.createElement("li"); ul.appendChild(li); li.innerHTML = limitation; }); element.appendChild(document.createElement("p")).innerHTML = "Because " + get(limitations,1) + " you may use " + "get(obj,property), set(obj,property,value), and forEach(array) instead"; // here is an example of creating a class (where |this| can be used): var Flicker = Class({ constructor : function(element) { this.element = element; connect(element,"onmouseenter",this,"enter"); connect(element,"onmouseout",this,"exit"); }, enter: function(event) { style(this.element,"color","green"); }, exit: function(event) { style(this.element,"color","orange"); } }); new Flicker(ul); // you can also access other dojo functions: var copy = mixin({},limitations);Note that these require a proxy file in order to load: Execute
Load and execute JavaScript
Load and show HTML
The JavaScript in the sandbox generally follows the rules of ADsafe:
- Use of eval, with, ==, !=, and the subscript operator [] are not allowed.
- Limited access to this and global variables.
- These properties may not be used: apply arguments call callee caller constructor eval prototype this unwatch valueOf watch and anything beginning or ending with __.
The following global variables are accessible:
- element - This the root element of the sandbox. Sandboxed elements do not have access to relational properties (parentNode, firstSibling, nextSibling, etc.). You can still use DOM methods and string properties like innerHTML. The style object can also be used (accessed and modified) as well.
- document - This is a sandboxed document object that provides node creation and basic element searching facilities. The sandboxed document provides the following methods: getElementById, createElement, createTextNode, and write.
The following standard JavaScript/DOM functions/constructors and (their child functions when applicable) may be called. They may only be used in call position, they may not be accessed in any other way. They generally behave as the standard JavaScript function, unless otherwise noted:
- isNaN
- isFinite
- parseInt
- parseFloat
- escape
- unescape
- encodeURI
- encodeURIComponent
- decodeURI
- decodeURIComponent
- alert
- confirm
- prompt
- Date
- RegExp
- Error
- Number
- Math
- setTimeout - This will only accept a function (not a string)
- setInterval - This will only accept a function (not a string)
- clearTimeout
- clearInterval
- get(obj,prop) - This is a special function to handle accessing properties in lieu of the [] operator. Calling get(obj,prop) is equivalent to obj[prop].
- set(obj,prop,value) - This is a special function to handle modifying properties in lieu of the [] operator. Calling set(obj,prop,value) is equivalent to obj[prop]=value.
- forEach(obj,func) - This is a special function to iterate through all the properties in an object, or items in an array. For each item, the func function will be called with the item as the first argument, the index as the second, and the obj as the third
- Class(superclass..., properties, classProperties) -
The this operator may only be used in class definitions. secure.sandbox provides Class as a
class constructor. The following argument are accepted:
- superclass: There may be zero or more superclass arguments. The constructed class will inherit from any provided superclasses, protypically from the first, via mixin for the subsequent. Later arguments will override properties/methods from earlier arguments
- properties: The constructed "class" will also have the methods/properties defined in this argument. These methods may utilize the this operator, and they are only the code that has access to this. Inner functions are also prohibited from using this. If no superclasses are provided, this object will be the prototype of the constructed class (no copying will be done). Consequently you can "beget" by calling new (Class(obj)). All methods are "bound", each call results in |this| safety checking call.
- classProperties: This properties will be copied to the new class function.
- mixin
- require
- isString
- isArray
- isFunction
- isObject
- isArrayLike
- isAlien
- hitch
- delegate
- partial
- trim
- connect
- disconnect
- subscribe
- unsubscribe
- Deferred
- toJson
- fromJson
- style
- attr
- query - This will only search within the sandbox.
- byId
- body - This returns the root element of the sandbox