Databases
StackOverflow2013
Postsdbo
PO
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    primarykey
    data
    text
    <p>There's no absolute way to prevent an end user or addon developer from executing specific code in JavaScript. That's why security measures in an open source language like JavaScript is said to be foolproof (as in it's only effective against fools).</p> <p>That being said however let's build a sandbox security layer to prevent inexperienced developers from breaking your site. Personally I prefer using the <code>Function</code> constructor over <code>eval</code> to execute user code for the following reasons:</p> <ol> <li>The code is wrapped in an anonymous function. Hence it may be stored in a variable and called as many times as needed.</li> <li>The function always exists in the global scope. Hence it doesn't have access to the local variables in the block which created the function.</li> <li>The function may be passed arbitrary named parameters. Hence you may exploit this feature to pass or import modules required by the user code (e.g. <code>jQuery</code>).</li> <li>Most importantly you may set a custom <code>this</code> pointer and create local variables named <code>window</code> and <code>document</code> to prevent access to the global scope and the DOM. This allows you to create your own version of the DOM and pass it to the user code.</li> </ol> <p>Note however that even this pattern has disadvantages. Most importantly it may only prevent direct access to the global scope. User code may still create global variables by simply declaring variables without <code>var</code>, and malicious code may use hacks like creating a function and using it's <code>this</code> pointer to access the global scope (the default behavior of JavaScript).</p> <p>So let's look at some code: <a href="http://jsfiddle.net/C3Kw7/" rel="noreferrer">http://jsfiddle.net/C3Kw7/</a></p>
    singulars
    1. This table or related slice is empty.
    1. POSemi-sandboxing Javascript eval
      singulars
      1. PTQuestion
    1. PTAnswer
    1. This table or related slice is empty.
    1. USAadit M Shah
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. POSemi-sandboxing Javascript eval
      singulars
      1. PTQuestion
    1. This table or related slice is empty.
    1. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTAcceptedByOriginator
    2. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    1. COFor a full blown sandbox you'll need to create a scanner which sandboxes every function declared or defined inside the user code. A simple [lexer](https://github.com/aaditmshah/lexer "aaditmshah/lexer") should do the job. You'll also need to [match balanced brackets](http://codereview.stackexchange.com/questions/14532/checking-for-balanced-brackets-in-javascript "Checking for balanced brackets in JavaScript - Code Review Beta - Stack Exchange").
      singulars
      1. PO
      1. USAadit M Shah
    2. COI want the code to be evaluated to be able to access the current window and DOM. What I do not want is that code to be able to alter the window or DOM.
      singulars
      1. PO
      1. USSReject
    3. COThere's no way to do that without creating your own `window` and `document` objects. In addition your custom `getElementById` method on your custom `document` object would have to return a custom `HTMLElement` object to prevent the addon developer from being able to modify the DOM. Essentially you would need to create your own DOM which is a HUMONGOUS task. You're better off simply allowing developers to make addons and then verifying them. I'm pretty sure you won't find anyone hell bent on wreaking havoc. Quite frankly I think you're wasting too much time on too small a problem.
      singulars
      1. PO
      1. USAadit M Shah
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload