Closure protection?

[hexaplus]

Hello every one!

I have a tricky Question for you all.

I have a text box on a page which is going to use eval to evaluate math functions. I would like to leverage eval but don't want the user to shoot them selves in the foot inadvertently.
can any one think of a way to get around the following:
where you can type any eval function you like?

The idea here is to have all my code as a member of proObj...

var proObj={pro:"protected variable"}
function noscope(text)
{
var proObj=false;
var window=false;
var document=false;

try
{
    eval(text);
}
catch(e)
{
    alert("cought");
}

}

noscope('proObj.pro="boo"');
alert(proObj.pro);

P.S. obviously this doesn't prevent the user from using fire bug etc its just to "safe" the eval box/

 

[BillyRayPreachersSon]

AFAIK, the user will still be able to access many things that are implicitly available through the "window" or "document" objects (e.g. "location.href = '

http://www.google.co.uk/'"),

and you you cannot get around this by overwriting them as they're read-only (at least in IE 6, Fx 2, Safari 3/Win).

I'm not sure you'll find a way of completely stopping the user from doing something you don't want them to do (e.g. navigating away from the page, showing alerts, etc).

Perhaps an iframe on a different domain might minimise the risk, but then you won't really be able to script it.

Dan



Coedit Limited - Delivering standards compliant, accessible web solutions

[tt]Dan's Page [blue]@[/blue] Code Couch

http://www.codecouch.com/dan/

[/tt]

 

[hexaplus]

Actually You can. Location would be need to be added to the list. Because document location and window are not reserved words they can be deffined as local variables. The above code is an example of closure the document and window deffinitions will take precedence over the global doument and window definitions. If the the user types document.anything the document will refer to the variable false not the global document variable... try it.

As for if this will protect you it will I've decided it will... unless you are using a library such as prototype in which case the user could wreck havoc using the $ operator for instance. I've decided to create a regular expression which will check the input somehting like
(\Math.\|0-9\|cos|(|)|...)*
if the regular expression matches it will do the evaluation, if not it won't.

 

[BillyRayPreachersSon]

I did try it. Which is how I know that if the user happens to omit the prefix "window." or "document.", then the call still goes through to the global object, even though you have a local one with the same name.

Unless you make a local variable for every single thing you don't want the user to be able to do (which might be a very long list with all the ActiveX controls, etc, you could possibly want to block), then your regexp solution might be the easiest method.

Dan



Coedit Limited - Delivering standards compliant, accessible web solutions

[tt]Dan's Page [blue]@[/blue] Code Couch

http://www.codecouch.com/dan/

[/tt]

 

[hexaplus]

I see what your were saying now my initial inclination was to simply block the proObj from being modified so the user could still make getElementById calls if they really wanted to but you right a write call could still wreck havoc.
Thanks for your input.
Ull post the regex when I get around to it.