Pulsar, micro creative coding playground

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com

CodeRabbit: AI Code Reviews for Developers
Revolutionize your code reviews with AI. CodeRabbit offers PR summaries, code walkthroughs, 1-click suggestions, and AST-based analysis. Boost productivity and code quality across all major languages with each PR.
coderabbit.ai
featured
SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com
featured
  • pulsar

    Micro creative coding playground (by Stanko)

    I mean, it is still easy to work around that because `f.constructor` is just `f['const'+'ructor']` and so on. Backslash was just a cheap way to avoid the exact pattern and it will be hard to fix them with a disallowed word list. For example, you may disallow string literals but then template string literals can be used: `const${``}ructor`, and some interesting code would be disallowed over the course. Literals fully disallowed, it is still possible to construct a string "constructor" without them, as the good old JSFuck [1] demonstrates. Disallowing brackets is almost sufficient, but your global worker scope is still exposed and that may be exploitable.

    After some search, it seems that using a null-origin seems the best approach you can use for now. Figma successfully used it in the production [2] and the only reason they switched was that no state can be ever shared, which is not a big problem for your case. They also tried the Realms shim for the aforementioned proposal but it seems to have a known vulnerability. And I guess you don't want to ship a WebAssembly JS interpreter ;-)<p>Anyway, sorry to bother you; it is hard to balance the fun and robustness at once. As a parting gift, the following is a genuine code that renders a 7-segment counter: <a href="https://muffinman.io/pulsar/?grid=classic&animate=opacity&code=KGFicyh4KTw1KSooMS10JTEpKiouMyooKGMsZCk9PmMmMSZ%252BKGMrMT8yNjg2NTY3MjErKGQ8NSkqMTgwMjY4ODUxPj5kJTUqNitjLzI6ZD09MikpKCh5PjQpLTUqKHg%252BMikrKHk%252BMCktKHk8MCkrNSooeDwtMiktKHk8LTQpKzUsdCUxMHwwKQ%253D%253D" rel="nofollow">https://muffinman.io/pulsar/?grid=classic&animate=opacity&co...</a><p>[1] <a href="https://jsfuck.com/" rel="nofollow">https://jsfuck.com/</a><p>[2] <a href="https://www.figma.com/blog/how-we-built-the-figma-plugin-system/#attempt-1-the-iframe-sandbox-approach" rel="nofollow">https://www.figma.com/blog/how-we-built-the-figma-plugin-sys...</a>

  • CodeRabbit

    CodeRabbit: AI Code Reviews for Developers. Revolutionize your code reviews with AI. CodeRabbit offers PR summaries, code walkthroughs, 1-click suggestions, and AST-based analysis. Boost productivity and code quality across all major languages with each PR.

    CodeRabbit logo
  • proposal-shadowrealm

    ECMAScript Proposal, specs, and reference implementation for Realms

    Unfortunately, it was too easy to trigger XSS: https://muffinman.io/pulsar/?grid=classic&animate=scale&code...

    It is really hard to make a correct sandbox in JS in general, until we eventually get something like the Realms proposal [1].

    [1] https://github.com/tc39/proposal-shadowrealm

  • jsfuck

    Write any JavaScript with 6 Characters: []()!+

    I mean, it is still easy to work around that because `f.constructor` is just `f['const'+'ructor']` and so on. Backslash was just a cheap way to avoid the exact pattern and it will be hard to fix them with a disallowed word list. For example, you may disallow string literals but then template string literals can be used: `const${``}ructor`, and some interesting code would be disallowed over the course. Literals fully disallowed, it is still possible to construct a string "constructor" without them, as the good old JSFuck [1] demonstrates. Disallowing brackets is almost sufficient, but your global worker scope is still exposed and that may be exploitable.

    After some search, it seems that using a null-origin seems the best approach you can use for now. Figma successfully used it in the production [2] and the only reason they switched was that no state can be ever shared, which is not a big problem for your case. They also tried the Realms shim for the aforementioned proposal but it seems to have a known vulnerability. And I guess you don't want to ship a WebAssembly JS interpreter ;-)<p>Anyway, sorry to bother you; it is hard to balance the fun and robustness at once. As a parting gift, the following is a genuine code that renders a 7-segment counter: <a href="https://muffinman.io/pulsar/?grid=classic&animate=opacity&code=KGFicyh4KTw1KSooMS10JTEpKiouMyooKGMsZCk9PmMmMSZ%252BKGMrMT8yNjg2NTY3MjErKGQ8NSkqMTgwMjY4ODUxPj5kJTUqNitjLzI6ZD09MikpKCh5PjQpLTUqKHg%252BMikrKHk%252BMCktKHk8MCkrNSooeDwtMiktKHk8LTQpKzUsdCUxMHwwKQ%253D%253D" rel="nofollow">https://muffinman.io/pulsar/?grid=classic&animate=opacity&co...</a><p>[1] <a href="https://jsfuck.com/" rel="nofollow">https://jsfuck.com/</a><p>[2] <a href="https://www.figma.com/blog/how-we-built-the-figma-plugin-system/#attempt-1-the-iframe-sandbox-approach" rel="nofollow">https://www.figma.com/blog/how-we-built-the-figma-plugin-sys...</a>

  • css-doodle

    🎨 A web component for drawing patterns with CSS.

    Cool!

    Reminds me a little bit of CSS Doodle: https://css-doodle.com/

    For expressions, hopefully the TC9 Shadow Realms proposal will make this easier in the future.

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts

  • Drawing Patterns with CSS

    1 project | news.ycombinator.com | 11 Oct 2023
  • CSS Doodle

    1 project | news.ycombinator.com | 7 Sep 2022
  • Amazing! Implementing artistic graphics with CSS

    1 project | dev.to | 23 Jul 2022
  • 10 CSS Tools AI Can Integrate With for Improved Website Design

    3 projects | dev.to | 25 Apr 2023
  • 🤯 Keep Up With these 50 Articles

    5 projects | dev.to | 16 Apr 2024

Did you konow that JavaScript is
the 3rd most popular programming language
based on number of metions?