search

jonathanperret / paysage

Paysage is a visual shared playground for code.
http://paysage.xyz
GNU Affero General Public License v3.0
19 stars 8 forks source link

Dealing with infinite loop, blocking errors, alert(""), XSS and other JavaScript annoyances #18

Open juliendorra opened 9 years ago

juliendorra commented 9 years ago

XSS is probably not of concern for Paysage, as we have no sessions or user information,

But I tested with alert() and it's hugely annoying, especially as it goes off 60 times per second (in the draw loop) on the Playground.

Infinite loop and other errors that block the tab/browser are also an issue.

Very interesting podcast by CodePen on executing arbitrary javascript : http://blog.codepen.io/2015/07/07/045-javascript-security/

Some practical implementation tips here: https://github.com/jsbin/jsbin/wiki/Best-practices-for-building-your-own-live-paste-bin For alert (and prompt confirm print open) the fix is to redefine windows.alert = function () {} so the function is empty. But there's other sort of popups and modals possible :-( like camera access, geoloc, etc. that we can't access and we would need to clean the code itself…

Content Security Policy would allow us to be sure that (modern) browsers only load codes from trusted servers, while still allowing images to be loaded from anywhere on the web, for example. http://www.html5rocks.com/en/tutorials/security/content-security-policy/

juliendorra commented 8 years ago

Interesting talk from Pamela Fox of Khan Academy on how they manage ProcessingJS code on their live code editor: https://www.youtube.com/watch?v=EzHsLt9vLbk&feature=youtu.be&t=26m49s

(infinite loop, slow programs, hints, content origin policy, etc.)

juliendorra commented 7 years ago

Both JS Bin and CodePen have an open source implementation of infinite loop management/stopping:

JS Bin's Loop Protect rewrite the JavaScript with timers and test without building an AST. There's an implementation example. It's extracted from the JS Bin code base, which is fully open source. https://github.com/jsbin/loop-protect

CodePen's Infinite Loop Buster build an AST using Esprima, and then add the checks to the AST, which could be more robust and cover more cases. As Code Pen is not open source, we can only infer that it is the version used on their site. https://github.com/CodePen/InfiniteLoopBuster