Databases
StackOverflow2013
Postsdbo
POUsing caja to sanitize Javascript?
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POUsing caja to sanitize Javascript?
    text
    copied!<p>I'd like to allow users of my application to write plugins in Javascript that extend its functionality, without allowing access to anything other than a plugin API object I provide. For example, a plugin might look like the following:</p> <pre><code>plugin.hookSomeUserAction(function() { plugin.doSomethingWickedAwesome(); document.title = 'hacked!'; //shouldn't work }); </code></pre> <p>Caja looks like it should be able to get the job done, but the documentation is perhaps the worst of any open-source project I've seen (quite an accomplishment!). I need some help getting the system set up.</p> <p>I've gotten the cajoler working on the command line, and I've cajoled one such plugin into some kind of hopefully sanitized Javascript. The cajoled Javascript looks like it's expecting an "IMPORTS___" object to be provided, which should contain all the stuff the plugin has access to. Pretty promising so far!</p> <p>Unfortunately, getting that cajoled Javascript file to actually load and run has turned into a real mess. The source snippet <a href="http://code.google.com/p/google-caja/wiki/HostingModules" rel="noreferrer">in the docs</a> is unfortunately completely wrong, as the function loadCaja doesn't actually appear anywhere in the current trunk of google-caja. I tracked down some code that at least does <em>something</em>:</p> <pre><code>&lt;div id="plugin"&gt;&lt;/div&gt; &lt;script&gt; caja.configure({ cajaServer: "/js/caja" }, function(frameGroup) { frameGroup.makeES5Frame(document.getElementById('plugin'), { /* No network access */ }, function(frame) { frame.url('/js/plugins/test.js') .run({}); } ); }); &lt;/script&gt; </code></pre> <p>Unfortunately, what this does is attempt to get the cajoler to re-cajole the javascript that I've already cajoled. I definitely am <em>not</em> interested in having the server re-cajole every plugin on every request; I'll just cajole it upon upload and store it away ready to use.</p> <p>I also can't find any documentation on how or where to specify what goes into IMPORTS___ (given that that's the whole security model, it seems like a strange oversight in documentation). Is that the object being passed into .run()?</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload