Re: [WEB SECURITY] JSReg: Javascript based RegExp sandbox

[gaz Heyes <gazheyes@xxxxxxxxx>]

--001485f1a0c681ffca046dd42b38
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

2009/7/3 Terri Oda <terri@zone12.com>

> I've been talking with some colleagues about doing something similar using
> those JS closures, but it'd be even easier if I could just use what you've
> got as a starting place, so.. Thank you!  I look forwards to poking around
> with it.


Hey Terri, I initially thought closures could be used to prevent deletion or
overwriting of native functions but I was wrong. After many different
attempts the best way I could find other than creating a string parser is to
disable dangerous properties or do the caja approach. The version that
exists at the moment is a good starting point, it allows quite a lot of
javascript and prevents dangerous assignments as well as making variables
within the local scope. If you do want to use it after looking at the code
let me know and I'll put some license on there probably ms-pl which should
be free for you to use in other projects. This is going to be a OWASP
project so if you want to get involved you're more than welcome


> Have you taken a look at Microsoft's Web Sandbox?
>
> http://websandbox.livelabs.com/
>
> It sounds superficially similar, but I haven't looked at it deeply yet.


Yeah I've looked at MS web sandbox and it is better than mine (as is caja).
They actually control javascript, CSS and HTML and verify the objects.The
reason I'm not using either on my project is that caja uses java (which I
don't think is required) and the ms sandbox requires remote inclusion or
silverlight.

--001485f1a0c681ffca046dd42b38
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

2009/7/3 Terri Oda <span dir=3D"ltr">&lt;<a href=3D"mailto:terri@zone12.com=
">terri@zone12.com</a>&gt;</span><br><div class=3D"gmail_quote"><blockquote=
 class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, 204, 204); =
margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
I&#39;ve been talking with some colleagues about doing something similar us=
ing those JS closures, but it&#39;d be even easier if I could just use what=
 you&#39;ve got as a starting place, so.. Thank you! =A0I look forwards to =
poking around with it.</blockquote>
<div><br>Hey Terri, I initially thought closures could be used to prevent
deletion or overwriting of native functions but I was wrong. After many
different attempts the best way I could find other than creating a
string parser is to disable dangerous properties or do the caja
approach. The version that exists at the moment is a good starting point, i=
t allows quite a lot of javascript and prevents dangerous assignments as we=
ll as making variables within the local scope. If you do want to use it aft=
er looking at the code let me know and I&#39;ll put some license on there p=
robably ms-pl which should be free for you to use in other projects. This i=
s going to be a OWASP project so if you want to get involved you&#39;re mor=
e than welcome<br>
<br></div><blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid=
 rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
Have you taken a look at Microsoft&#39;s Web Sandbox?<br>
<br>
<a href=3D"http://websandbox.livelabs.com/"; target=3D"_blank">http://websan=
dbox.livelabs.com/</a><br>
<br>
It sounds superficially similar, but I haven&#39;t looked at it deeply yet.=
<font color=3D"#888888"></font></blockquote><div><br>Yeah I&#39;ve looked a=
t MS web sandbox and it is better than mine (as is caja). They actually con=
trol javascript, CSS and HTML and verify the objects.The reason I&#39;m not=
 using either on my project is that caja uses java (which I don&#39;t think=
 is required) and the ms sandbox requires remote inclusion or silverlight.<=
br>
</div></div>

--001485f1a0c681ffca046dd42b38--