Menu
I've been working on a JS library and would like to setup a demo page on Github that allows, for example, users to define their own callbacks and execute commands.
I know "eval() is evil" and I can see how blind eval() of scripts could lead to XSS and other security issues. I'm trying to cook up some alternative schemes.
I really enjoy the interactivity of jsFiddle. I've taken a look at their source but was hoping someone could lay out here how jsFiddle allows and executes user-defined JavaScript without being dangerous. So long as it doesn't involve a 3rd party echo server, I'm hoping I can emulate the approach.
932
jsFiddle is one of the most popular web development environments (working in a web browser) that allows you to edit and run code written in HTML, JavaScript and CSS, which will be called a «fiddle». It is possible to use a JavaScript library, such as jQuery.
Created by Piotr Zalewa, jsFiddle is a free code-sharing tool that allows you to edit, share, execute and debug Web code within a browser. jsFiddle is a great tool for testing and sharing Web code.
Just a side note - all fiddles are public. Anyone who knows the URL can access it. Thanks for pointing out to set it as base version to get it visible in public profile page.
jsFiddle executes user scripts on a separate domain, http://fiddle.jshell.net (try it and see).
Therefore, it can't interact with the parent frame and it can't steal cookies.
You can actually do this without a separate server by placing a static page in a separate domain that reads from its querystring in Javascript.
You can communicate back using the page title (and so can the enemy).
104
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
