我正在尝试使用 Douglas Crockford 的 ADsafe 库.我以为它应该限制可以使用的JavaScript,但它似乎让危险的调用通过,例如eval().
以下是沙箱的示例,不限制任何内容:
<头><title>ADsafe 小部件模板</title><身体><script src="adsafe.js"></script><div id="WIDGET_"><脚本>ADSAFE.go(WIDGET_",函数(dom,lib){严格使用";////ADsafe 允许这些执行!!//window.alert("window.alert 正在工作:(");eval('window.alert("你好,来自 eval")');window.location = "http://www.google.com";});有人知道 ADsafe 沙箱是如何工作的吗?
据我所知,ADsafe 实际上不会检查您的代码是否存在这些违规行为.您应该在启用 ADsafe 选项的情况下使用 JSLint 来解析任何不受信任的 JavaScript 并验证不存在 ADsafe 违规, 使用前.
如有不对,请大家指正.
I'm trying to use Douglas Crockford's ADsafe library.I thought it is supposed to restrict the JavaScript that can be used, but it seems to be letting dangerous calls through, such as eval().
Here's an example of the sandbox not restricting anything:
<html>
<head>
<title>ADsafe Widget Template</title>
</head>
<body>
<script src="adsafe.js"></script>
<div id="WIDGET_">
<script>
ADSAFE.go("WIDGET_", function (dom, lib) {
"use strict";
//
// ADsafe is allowing these to execute!!
//
window.alert("window.alert is working :(");
eval('window.alert("hello from eval")');
window.location = "http://www.google.com";
});
</script>
</div>
</body>
</html>
Does anybody know how the ADsafe sandbox is supposed to work?
As far as I can tell, ADsafe does not actually check your code for these violations. You are expected to use JSLint with ADsafe options enabled, to parse any untrusted JavaScript and verify that there are no ADsafe violations, before using it.
Anyone, please correct me if this is wrong.
这篇关于无法让简单的 ADsafe 小部件工作的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!