English 中文(简体)
我如何在网页上安全地“电子”用户代码?
原标题:How do I safely "eval" user code in a webpage?

I m working on a webapp to teach programming concepts. Webpages have some text about a programming concept, then let the user type in javascript code into a text editor window to try to answer a programming problem. When the user clicks "submit", I analyse the text they ve typed to see if they have solved the problem. For example, I ask them to "write a function named f that adds three to its argument".

这里,我做的是分析用户案文:

  1. Run JSLint on the text with strict settings, in particular without assuming browser or console functions.
  2. If there are any errors, show the errors and stop.
  3. eval(usertext);
  4. Loop through conditions for passing the assignment, eval(condition). An example condition is "f(1)===4". Conditions come from trusted source.
  5. Show passing/failing conditions.

我的问题:这是否足以防止安全问题? 我可以做些什么? 是否有更好的办法去做我想要的东西?

如果是相关的,我的申请是在谷歌应用引擎上,使用JQuery,有个人用户账户。

最佳回答

因此,从我能够告诉的,如果你只为用户提供信息,那就是一个安全问题。 只有当用户对其他<>/em>的输入时,才会有问题。

用户输入的阀值不低于用户对源的浏览量,对吉大港山区的头目进行观察,使用大火来检查 Java的标本等。 他们已经能够接触到所有东西。

如果你确实需要确保其代码,请查谷歌·卡哈

时间:2011-07-15 23:12:58
问题回答

这是一个trick问题。 网页上没有安全的<代码>eval()用户代码。

时间:2011-07-15 23:12:25

不清楚<代码>eval()在客户或服务器方面发生。 客户方面:
时间:2019-02-13 19:09:57

无法做到这一点。 浏览器没有向网页提供短信,以限制在特定情况下可以执行哪种守则。

然而,这也许不是问题。 如果你在网站上不使用任何厨师,那么执行任意的 Java字就不是一个问题。 毕竟,如果没有认证概念,就不存在对申请的质疑。 此外,如果你能够证实用户meant<>em> > 执行所寄送的文字,那么你也应当受到保护,免受攻击,例如,如果你只用打上页的文字,而永远不会通过GET或POST数据提交文字,或者如果你包含这些要求所特有的某种文字,以证实这一请求源自你的网站。

然而,对分<<>问题的答复是,这一问题的答案相当高,是无法做的,而且用户的投入永远不会受到信任。 职业:

时间:2011-07-15 23:14:14

你的最大问题永远是防止在用户提供的法典中出现无限的漏洞。 您可以通过在适当的背景下,例如:

let userInput = getUserInput();
setTimeout(() => {
  let window = null;
  let global = null;
  let this = null;
  // ... set any additional references to `null`
  
  eval(userInput);
}, 0);

您可在try/ submissions中填写上述代码,以防止因子和逻辑错误在受控的<代码>eval范围之外坠毁,但您将(provable)永远无法发现,在新用户的投入中是否界定了将ava印单线连接起来的fin,从而使其时间环境完全停顿。 解决类似问题的唯一办法,是界定你自己的 j字译员,利用它处理用户的意见,并提供一种机制,限制你的 j字译员愿意采取的步骤数目。 这将是很多麻烦!

时间:2020-11-15 04:34:58


上一篇:
下一篇:


相关问题
selected text in iframe

How to get a selected text inside a iframe. I my page i m having a iframe which is editable true. So how can i get the selected text in that iframe.

时间:2009-11-13 04:26:50 回答:3 展示:1
How to fire event handlers on the link using javascript

I would like to click a link in my page using javascript. I would like to Fire event handlers on the link without navigating. How can this be done? This has to work both in firefox and Internet ...

时间:2009-11-13 04:03:02 回答:2 展示:1
How to Add script codes before the </body> tag ASP.NET

Heres the problem, In Masterpage, the google analytics code were pasted before the end of body tag. In ASPX page, I need to generate a script (google addItem tracker) using codebehind ClientScript ...

时间:2009-11-13 03:31:36 回答:3 展示:1
Clipboard access using Javascript - sans Flash?

Is there a reliable way to access the client machine s clipboard using Javascript? I continue to run into permissions issues when attempting to do this. How does Google Docs do this? Do they use ...

时间:2009-11-09 14:57:38 回答:8 展示:1
javascript debugging question

I have a large javascript which I didn t write but I need to use it and I m slowely going trough it trying to figure out what does it do and how, I m using alert to print out what it does but now I ...

时间:2009-11-09 14:29:27 回答:2 展示:1
Parsing date like twitter

I ve made a little forum and I want parse the date on newest posts like twitter, you know "posted 40 minutes ago ","posted 1 hour ago"... What s the best way ? Thanx.

时间:2009-11-09 14:21:27 回答:2 展示:1
热门标签

友情链接

Allggapp Alljchome-教程家园 mvfinale.com-影视剧情大结局大全