6

I would like to implement a scripting language to assist in partially automating certain tasks on a public wiki. I cannot install anything such as Google Caja on the server or modify the wiki software itself, but I can install JavaScript code for client-side execution. Because my intent is to allow ordinary users to create and post scripts, using JavaScript itself is insecure and could lead to account compromises.

Does such a scripting language implementation exist, or if not, is it relatively easy to create? My focus is on ease of text processing, Ajax requests, and implementation.

Here is an example task a script would need to perform, taken from Wikipedia's procedure for requesting article deletion:

  1. Ask the user for the name of a wiki page and a good reason to delete it.
  2. Get that page's source code, add a deletion notice to the top, and save the new text.
  3. Create a new page (its name based on the first page's name) that includes the reason for deletion.
  4. Get the list of users who edited the page and notify the first one (again, by editing a specific page) that the page he created is about to be deleted.
PleaseStand
  • 31,641
  • 6
  • 68
  • 95
  • If you want this language to both be able to make ajax requests and access/modify the DOM, you are not gaining any security over just JS (if it can't touch the DOM tho it _might_ be no problem) – tobyodavies Oct 18 '10 at 02:53
  • The idea is not for any arbitrary DOM modification or Ajax requests to be allowed, only those that are relatively "safe" and can be easily undone after the user is shown a list of actions that were in fact performed. – PleaseStand Oct 18 '10 at 02:58
  • I don't understand at all. What is this "scripting language" supposed to be able to do? – Pointy Oct 18 '10 at 03:48
  • Can you give a very specific example of what one of these scripts might do? – Pointy Oct 18 '10 at 12:43

3 Answers3

3

Here's an implementation of Tcl in javascript: Tcl in Javascript.

Here's the source: tcl.js.

And here's code implementing a live console in your browser to play with: A little tcl.js console

Tcl may not be your cup of tea but the implementation looks fairly simple straightforward. This is mainly because tcl itself is such a simple language. You can use it to get ideas on how to implement variables and functions.

Hint: in tcl, control structures are functions so look at where built-in functions are implemented to see the implementation of for, while and foreach.

slebetman
  • 109,858
  • 19
  • 140
  • 171
2

Douglas Crockford's ADsafe is supposed to be a secure subset of JavaScript.

It consists of a runtime library (~20 KB minified) and a verifier (included in JSLint). If Crockford were to drop "The Software shall be used for Good, not Evil" from the license, both components would be GPL-compatible open-source programs.

Because JSLint is a JavaScript program, it can verify user scripts entirely within the web browser. This is in contrast to Google Caja, which is written in Java.

PleaseStand
  • 31,641
  • 6
  • 68
  • 95
  • Adsafe doesn't seem to do anythng about infinite loops or enforcing a timeout, which means it's still possible for one user to do something like `for(;;);` and have another user's page lock up; or something like `a=[]; for(;;) { a = [a,a] }` for a memory explosion. – David Given Feb 01 '16 at 11:26
-1

You could just sandbox; that is, scope in a couple of key variables so that the user's code is unable to access unsafe objects.

var execSandboxedJS = function (jsCode) {
    var window = document.getElementById('myRootElement');
    var document = window;
    eval(jsCode);
};

Though, allowing user code to make ajax requests is, in itself, inherently unsafe. I would reconsider the sanity of the project if that's what's called for.

Fordi
  • 2,798
  • 25
  • 20
  • 5
    Not good enough. For starters, that can easily be broken out of by using `self` instead of window. The way JavaScript is, it would be extremely hard to patch all the holes - see http://code.google.com/p/google-caja/wiki/AttackVectors. – PleaseStand Oct 18 '10 at 11:10