js calls react components_Introduction to React JS components.JS calls methods in CS: WebMethod PageMethods AjaxMethod.js calls iframe to realize the method of printing the specified content of the page.The sandbox using nodeJS is very simple, just use the VM Module provided by nodeJS. For example, the code verification of is to put it in the backend to do code sandboxing. This easter egg is to use nodeJS to build a sandbox. At the beginning, there is an easter egg at the end of the article. The two commonly used sandbox modes are almost explained here. Var code = document.getElementById('code').value į(code, '/') // only want to send the tabs of the same originĭocument.getElementById('safe').addEventListener('click', evaluate) One for communication and one for execution. (Of course, you can also use new Function, this is up to you.) The frame here is to use postMessage+eval. iframe script executionĪs mentioned above, we need to use eval to execute the method, so we need to add the attribute of allow-scripts on the iframe. Next, let's explain in detail, if you use iframe to code evaluation. For more details, please refer to: please call me HR. In this way, the execution of the js script can be guaranteed, but the javascript in the iframe is prohibited from executing top.location = self.location. You can add permission to allow in the sandbox. The configuration effect allow-forms allows submitting the form allow-scripts runs and executes the script allow-same-origin allows same-domain requests, such as ajax, storage allow-top-navigation allows iframe to dominate window.top for page jumping allow-popups allows iframe Pop up a new window, for example, window.open, target="_blank" allow-pointer-lock can lock the mouse in iframe, mainly related to mouse lock Make some simple settings in the sandbox It's a good iframe, isn't it a bit too much for you? However, you can relax the permissions a bit. Unable to load additional plug-ins such as flash, etc.ħ. Cannot create new pop-up windows and windows, such as window.open or target="_blank"Ħ. Cannot use local storage, ie localStorage, cookie, etc.Ĥ. This has been added, so you can't do the following things:ģ. ![]() and the support is also very good, Such as IE10. Load the sandbox into the iframe, then your iframe is basically just a label. This attribute can be said to be a real sandbox. The easiest way is to use the sandbox attribute. Next, let's take a look at how to compile the code using iframe. ![]() ![]() (If something happens, it's purely a coincidence, and I'm not responsible for it). It's almost there, if you don't think it's ugly, you can use it directly. And, he also Variables in the closure can be accessed. Because, the characteristic of eval is that if there is no one in the current domain, it will traverse upwards until the top-level global scope such as window. The easiest way is to use eval for code execution eval('console.log("a simple script") ') īut, if you use it directly like this, congraduations. This way is not a particularly good idea, because it needs to spend more energy on security. At the end of the article, let's see if I am in the mood to put an easter egg. Next, let's analyze step by step, if it is done in the front-end sandbox. ![]() In general, our code volume is 60% business + 40% security. Different routes lead to the same goal, the main thing is to prevent some Hackers who are full and have nothing to do, and collect money from others to hack your website. There are currently two sandbox modes popular in the market, one is to use iframe, and the other is to use new Function + eval to execute directly on the page.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |