How to work around manifest 2 ban of eval?

271 views
Skip to first unread message

CqN on cr-48 devchannel 0.12.397.0

unread,
Jul 18, 2012, 12:14:38 PM7/18/12
to chromium-...@chromium.org
This is a bit OT, in that it is more a js question.  But the solution has to fit in under the manifest ver 2 limitations, so somebody here may know how.

In an app (chrome notebook) under manifest v1 I had some code like this:

var str = '[ {a:"xx", b:"yy",...}, {a:"pp", b:"qq", ...}, ... {...} ]';  //this is a synthesized (parsed) string of values obtained from a web search
var AA = [];

eval ( 'AA=' +str +';' );  //to get the array of lists into AA

How can the above be re-coded to avoid using eval?  If I split the str with ',' it would split the list items too.  Any suggestions?

Joshua Woodward

unread,
Jul 18, 2012, 12:24:43 PM7/18/12
to CqN on cr-48 devchannel 0.12.397.0, chromium-...@chromium.org
Could you just

var AA=JSON.parse(str)

your str just appears to be a JSON string



--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msg/chromium-extensions/-/TvAjhn2n31oJ.
To post to this group, send email to chromium-...@chromium.org.
To unsubscribe from this group, send email to chromium-extens...@chromium.org.
For more options, visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/?hl=en.



--



Twitter - @howtohtml5

PhistucK

unread,
Jul 18, 2012, 12:27:49 PM7/18/12
to Joshua Woodward, CqN on cr-48 devchannel 0.12.397.0, chromium-...@chromium.org
Unfortunately, it is not a valid JSON string, because the key names are not double quoted.

PhistucK

Joshua Woodward

unread,
Jul 18, 2012, 12:53:16 PM7/18/12
to PhistucK, CqN on cr-48 devchannel 0.12.397.0, chromium-...@chromium.org
How are you getting str, you say "this is a synthesized (parsed) string of values obtained from a web search"

can that string be cleaned up somehow, made into valid JSON?

PhistucK

unread,
Jul 18, 2012, 12:56:39 PM7/18/12
to Joshua Woodward, CqN on cr-48 devchannel 0.12.397.0, chromium-...@chromium.org
I am sure it can using something along the lines of a JavaScript parser that will emit valid JSON string, but my guess is that the original poster wants to avoid this way (probably a lot of code, if there is a library that even does that).

PhistucK

Joshua Woodward

unread,
Jul 18, 2012, 1:05:46 PM7/18/12
to PhistucK, CqN on cr-48 devchannel 0.12.397.0, chromium-...@chromium.org
I actually meant, however it is originally being created, can it be made valid there first

Is he creating the the original str?
Is it just a response from a server request he maintains, or actually results from a third party (in which case you don't want to eval anyways)?

Maybe it can be made valid before it reaches "var str="

CqN on cr-48 devchannel 0.12.397.0

unread,
Jul 18, 2012, 1:20:42 PM7/18/12
to chromium-...@chromium.org
Joshua,
Thanks for the trip.  A quick experiment as you suggested did not work.  But I will purse this line.

The source is from 3rd party website; but the material I am trying to get into my array is a proper js array of lists.  So if the JSON.parse can handle that, it should work... Well let you know.

Devin

unread,
Jul 19, 2012, 11:48:25 AM7/19/12
to chromium-...@chromium.org
You can try this
var alternateEval = function alternateEval(codeString) {
  retuturn new Function(codeString);
};

alternateEval( 'AA=' +str +';');

Capital Function is the constructor for functions, you can create a new one like so based on a string.

Chacko

unread,
Jul 19, 2012, 11:52:03 AM7/19/12
to Devin, chromium-...@chromium.org
This definitely does not work, since manifest 2 knows this has the same side effect has eval.  Thanks anyway.

Cordially, Chacko the Solangelist
@solangelist



--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.

Joshua Woodward

unread,
Jul 19, 2012, 12:08:29 PM7/19/12
to Devin, chromium-...@chromium.org
You can't use new Function() in manifest version 2 either

this session video from I/O is a lot of help

On Thu, Jul 19, 2012 at 8:48 AM, Devin <devin...@gmail.com> wrote:
--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msg/chromium-extensions/-/criGtwUZPxUJ.

To post to this group, send email to chromium-...@chromium.org.
To unsubscribe from this group, send email to chromium-extens...@chromium.org.
For more options, visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/?hl=en.

johnjbarton

unread,
Jul 19, 2012, 12:54:37 PM7/19/12
to chromium-...@chromium.org, Devin


On Thursday, July 19, 2012 9:08:29 AM UTC-7, Joshua Woodward wrote:
You can't use new Function() in manifest version 2 either

So what is the alternative to eval/new Function()? I have a large extension that uses eval for:
  1) a powerful template language that compiles into JS,
  2) a test harness with several hundred tests.

Both of these applications are secure because the source arrives from secure origins. I don't 
understand why eval is being blamed for the failure of the network security system. 
jjb

Devin Rhode

unread,
Jul 19, 2012, 1:41:35 PM7/19/12
to Chacko, chromium-...@chromium.org
you could also try eval in strict mode ('use strict';). Beyond that, you should make your own parsing. Crockfords JSON2.js actually might be able to parse it, and if it can't you'll want to hack on it till it can.

Mihai Parparita

unread,
Jul 19, 2012, 2:08:46 PM7/19/12
to devin...@gmail.com, Chacko, chromium-...@chromium.org
Depending on what you need to eval, you may want to look into running eval() in a sandboxed iframe. Here's a sample:

(it's a packaged app, but the same code will also work in an extension)

main.html contains a <textarea> with a function that needs to be eval()-ed and run. It sends a postMessage to iframe.html, which can eval (and postMessage the result back).

It uses the "sandbox" manifest feature, which is in Chrome 21 or later. If you need to make this work in Chrome 20, you can simulate sandboxed resources by using data: URLs and the sandbox iframe attribute.

Mihai

John J Barton

unread,
Jul 19, 2012, 2:25:26 PM7/19/12
to Mihai Parparita, devin...@gmail.com, Chacko, chromium-...@chromium.org
On Thu, Jul 19, 2012 at 11:08 AM, Mihai Parparita <mih...@chromium.org> wrote:
Depending on what you need to eval, you may want to look into running eval() in a sandboxed iframe. Here's a sample:

(it's a packaged app, but the same code will also work in an extension)

main.html contains a <textarea> with a function that needs to be eval()-ed and run. It sends a postMessage to iframe.html, which can eval (and postMessage the result back).

It uses the "sandbox" manifest feature, which is in Chrome 21 or later. If you need to make this work in Chrome 20, you can simulate sandboxed resources by using data: URLs and the sandbox iframe attribute.

Thanks. I think this hack will work for one of my use cases, the DSL for generating markup. It won't work for the test-harness system because the whole point of the test harness is to drive application functions from the test scripts.

(BTW I have to say the chrome extension system's extensive use of postMessage makes application development ridiculously complex. All parts of my application have to use various versions of this messaging to various other parts of the application. I spend more time on messaging than any other part of my extension).

jjb

PAEz

unread,
Jul 21, 2012, 5:19:44 PM7/21/12
to chromium-...@chromium.org
Here's a link to a JSON parser that doesn't use eval and allows keys to not be quoted (plus a few other nice things)....
...that might suite your needs.

CqN on cr-48 devchannel 0.12.397.0

unread,
Jul 22, 2012, 12:23:00 PM7/22/12
to chromium-...@chromium.org
Thank you very much for all your tips and ideas.  For the time being, I developed a custom .js code to do this.


BTW, of all the ideas presented here, I think only PAEz's one viable (not verified) because of the special subset restrictions of JSON regarding the need to quote the keys, even that one requires double quotes!

PAEz

unread,
Jul 22, 2012, 1:40:40 PM7/22/12
to chromium-...@chromium.org

When you say "..., even that one requires double quotes!" you didnt mean JSON5 did you?
Ill admit I didnt verify it either, but I just did (with manifest version 2) and it parsed your sample just fine.

Stan Wiechers

unread,
Aug 2, 2012, 10:55:09 AM8/2/12
to chromium-...@chromium.org, PAEz
Question: 

Can I go a declarative route? So lets say my plugin essentially use one custom class and jquery operations. If I can express all the actions in json or any other datastructure that my code can interpret without ever using equal can I refresh my *codebase* dynamically?

Example:

regular code:
-----------------

$('.title').css({color:blue,opacity:0.5}).addClass('mine').bind('click',my_method_that_is_already_defined);

declarative style pseudo code:
--------------------------------------

[selektor:
  {
     path:'.title',
    operations:
            [
                css:{color:'blue',opacity:0.5},
                addClass:"mine",
                bind:{type:'click',method: my_method_that_is_already_defined}
            ]
  }
]

If I can express all my actions and interpret them without eval in that way, can I dynamically update my code base from a server?

--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.

To post to this group, send email to chromium-...@chromium.org.
To unsubscribe from this group, send email to chromium-extens...@chromium.org.
For more options, visit this group at http://groups.google.com/a/chromium.org/group/chromium-extensions/?hl=en.



--
"Local color. Soak it up"
Virginia Vidaura

http://www.merkwelt.com/people/stan/

Godmar Back

unread,
Aug 7, 2012, 3:43:05 PM8/7/12
to chromium-...@chromium.org, Mihai Parparita, devin...@gmail.com, Chacko
On Thursday, July 19, 2012 2:25:26 PM UTC-4, johnjbarton wrote:

(BTW I have to say the chrome extension system's extensive use of postMessage makes application development ridiculously complex. All parts of my application have to use various versions of this messaging to various other parts of the application. I spend more time on messaging than any other part of my extension).


Our experience indicates the same.  We (that is, our student Brian) ended up building a local RPC system that allows content scripts to invoke objects in the background page as if they were local, by automatically serializing/deserializing the arguments passed to those functions. This way, we can call functions either directly (in the background context), or via messaging (in content scripts), with the same syntax. Of course, this doesn't work for synchronous calls but fortunately the API of the functions for which we needed it was asynchronous (via the use of a callback function/objects) anyway.

If you're interested, it's described on pg 87 in this MS thesis http://scholar.lib.vt.edu/theses/available/etd-12202011-204944/unrestricted/Nicholson_BR_T_2011.pdf (look for magicImport) 

 - Godmar

Reply all
Reply to author
Forward
0 new messages