问题
I'm trying to use Douglas Crockford's ADsafe library.
I thought it is supposed to restrict the JavaScript that can be used, but it seems to be letting dangerous calls through, such as eval().
Here's an example of the sandbox not restricting anything:
<html>
<head>
<title>ADsafe Widget Template</title>
</head>
<body>
<script src="adsafe.js"></script>
<div id="WIDGET_">
<script>
ADSAFE.go("WIDGET_", function (dom, lib) {
"use strict";
//
// ADsafe is allowing these to execute!!
//
window.alert("window.alert is working :(");
eval('window.alert("hello from eval")');
window.location = "http://www.google.com";
});
</script>
</div>
</body>
</html>
Does anybody know how the ADsafe sandbox is supposed to work?
回答1:
As far as I can tell, ADsafe does not actually check your code for these violations. You are expected to use JSLint with ADsafe options enabled, to parse any untrusted JavaScript and verify that there are no ADsafe violations, before using it.
Anyone, please correct me if this is wrong.
回答2:
The code is inside the div, so the code is executed before the div is fully loaded, and it apparently does not work in that case. Moving the script outside and after the div works: http://jsfiddle.net/pimvdb/dFQQa/.
<html>
<head>
<title>ADsafe Widget Template</title>
</head>
<body>
<script src="adsafe.js"></script>
<div id="WIDGET_"></div>
<!-- div has been ended and fully loadede by now -->
<script>
ADSAFE.go("WIDGET_", function (dom, lib) {
"use strict";
//
// ADsafe is allowing these to execute!!
//
window.alert("window alert is working :(");
eval('window.alert("hello from eval")');
window.location = "http://www.google.com";
});
</script>
</body>
</html>
来源:https://stackoverflow.com/questions/7162379/cant-get-simple-adsafe-widget-to-work