-
I mean, it is still easy to work around that because `f.constructor` is just `f['const'+'ructor']` and so on. Backslash was just a cheap way to avoid the exact pattern and it will be hard to fix them with a disallowed word list. For example, you may disallow string literals but then template string literals can be used: `const${``}ructor`, and some interesting code would be disallowed over the course. Literals fully disallowed, it is still possible to construct a string "constructor" without them, as the good old JSFuck [1] demonstrates. Disallowing brackets is almost sufficient, but your global worker scope is still exposed and that may be exploitable.
After some search, it seems that using a null-origin seems the best approach you can use for now. Figma successfully used it in the production [2] and the only reason they switched was that no state can be ever shared, which is not a big problem for your case. They also tried the Realms shim for the aforementioned proposal but it seems to have a known vulnerability. And I guess you don't want to ship a WebAssembly JS interpreter ;-)<p>Anyway, sorry to bother you; it is hard to balance the fun and robustness at once. As a parting gift, the following is a genuine code that renders a 7-segment counter: <a href="https://muffinman.io/pulsar/?grid=classic&animate=opacity&code=KGFicyh4KTw1KSooMS10JTEpKiouMyooKGMsZCk9PmMmMSZ%252BKGMrMT8yNjg2NTY3MjErKGQ8NSkqMTgwMjY4ODUxPj5kJTUqNitjLzI6ZD09MikpKCh5PjQpLTUqKHg%252BMikrKHk%252BMCktKHk8MCkrNSooeDwtMiktKHk8LTQpKzUsdCUxMHwwKQ%253D%253D" rel="nofollow">https://muffinman.io/pulsar/?grid=classic&animate=opacity&co...</a><p>[1] <a href="https://jsfuck.com/" rel="nofollow">https://jsfuck.com/</a><p>[2] <a href="https://www.figma.com/blog/how-we-built-the-figma-plugin-system/#attempt-1-the-iframe-sandbox-approach" rel="nofollow">https://www.figma.com/blog/how-we-built-the-figma-plugin-sys...</a>
-
CodeRabbit
CodeRabbit: AI Code Reviews for Developers. Revolutionize your code reviews with AI. CodeRabbit offers PR summaries, code walkthroughs, 1-click suggestions, and AST-based analysis. Boost productivity and code quality across all major languages with each PR.
-
Unfortunately, it was too easy to trigger XSS: https://muffinman.io/pulsar/?grid=classic&animate=scale&code...
It is really hard to make a correct sandbox in JS in general, until we eventually get something like the Realms proposal [1].
[1] https://github.com/tc39/proposal-shadowrealm
-
I mean, it is still easy to work around that because `f.constructor` is just `f['const'+'ructor']` and so on. Backslash was just a cheap way to avoid the exact pattern and it will be hard to fix them with a disallowed word list. For example, you may disallow string literals but then template string literals can be used: `const${``}ructor`, and some interesting code would be disallowed over the course. Literals fully disallowed, it is still possible to construct a string "constructor" without them, as the good old JSFuck [1] demonstrates. Disallowing brackets is almost sufficient, but your global worker scope is still exposed and that may be exploitable.
After some search, it seems that using a null-origin seems the best approach you can use for now. Figma successfully used it in the production [2] and the only reason they switched was that no state can be ever shared, which is not a big problem for your case. They also tried the Realms shim for the aforementioned proposal but it seems to have a known vulnerability. And I guess you don't want to ship a WebAssembly JS interpreter ;-)<p>Anyway, sorry to bother you; it is hard to balance the fun and robustness at once. As a parting gift, the following is a genuine code that renders a 7-segment counter: <a href="https://muffinman.io/pulsar/?grid=classic&animate=opacity&code=KGFicyh4KTw1KSooMS10JTEpKiouMyooKGMsZCk9PmMmMSZ%252BKGMrMT8yNjg2NTY3MjErKGQ8NSkqMTgwMjY4ODUxPj5kJTUqNitjLzI6ZD09MikpKCh5PjQpLTUqKHg%252BMikrKHk%252BMCktKHk8MCkrNSooeDwtMiktKHk8LTQpKzUsdCUxMHwwKQ%253D%253D" rel="nofollow">https://muffinman.io/pulsar/?grid=classic&animate=opacity&co...</a><p>[1] <a href="https://jsfuck.com/" rel="nofollow">https://jsfuck.com/</a><p>[2] <a href="https://www.figma.com/blog/how-we-built-the-figma-plugin-system/#attempt-1-the-iframe-sandbox-approach" rel="nofollow">https://www.figma.com/blog/how-we-built-the-figma-plugin-sys...</a>
-
Cool!
Reminds me a little bit of CSS Doodle: https://css-doodle.com/
For expressions, hopefully the TC9 Shadow Realms proposal will make this easier in the future.