Prototype for Evaluation Node in html

[ctm]

<!DOCTYPE html>

<html>

<body>

<p>The Evaluation node is a simplified version of the Function node that uses the Javascript eval() function to calculate the fields for posting a message. If the fields are left blank the fields of the arrived message are preserved.</p>

<p>The debug section can be used for fast debugging of code.</p>

<p>The node.status is only parsed to check if it is pure JASON.</p>

<form><pre><code>

msg.payload = eval( <input type="text" id="payload"> );

msg.topic   = eval( <input type="text" id="topic"> );

node.status       ( <input type="text" id="status" value = "optional"> );

return msg;

</code></pre>

Debug section:

<pre><code>

msg.payload = " <input type="text" id="inpayload"> ";

msg.topic =   " <input type="text" id="intopic"> ";

<input type="button" onclick='

var output = ""    ;

try {

var msg = {};

    msg.payload = document.getElementById("inpayload").value;

    msg.topic   = document.getElementById("intopic").value;

    msg.payload = 

( typeof eval(document.getElementById("payload").value) == "undefined" ? msg.payload 

: eval(document.getElementById("payload").value));

    msg.topic =

( typeof eval(document.getElementById("topic").value) == "undefined" ? msg.topic 

: eval(document.getElementById("topic").value));

    output += "msg.payload: <q>" + msg.payload +"</q><br>";  

    output += "msg.topic  : <q>" + msg.topic +"</q><br>";  

    

    output +=  ( String(document.getElementById("status").value) === String("optional") ? "" 

: "node.status(  " + JSON.stringify(JSON.parse(document.getElementById("status").value))+"  )");

    document.getElementById("result").innerHTML = output

}

catch(err) {

    document.getElementById("result").innerHTML = output+"Error: "+err.message;

}

' value="test"> output: <pre id="result"></pre>

</code></pre></form>

</body>

</html>

[Julian Knight]

Really not a good idea I'm afraid.

Although I don't think this is outlined in the docs, the reason that the function node uses a virtual environment (one of the capabilities provided by Node.JS) is to ensure that the incoming user data can't do anything dangerous. This is especially important if you have a global install of NR as it may be running as root rather than as a restricted user.

Eval should only be used with extreme caution and with all inputs severely limited. Allowing unrestricted user input on a web page and then eval'ing it creates a massive security hole.

Also, I think that if you look at the "res" part of the html input node, you already get the form data in a usable format. What you are doing here might be useful if you were going to use websockets to handle data transfer, overriding the normal form submission event.

[Cornie Malan]

I am not suggest going outside the sandbox.  Using eval() inside the sandbox will be simpler for new users.

Can one use eval() inside the function node at the moment?

c-:

--
http://nodered.org
---
You received this message because you are subscribed to a topic in the Google Groups "Node-RED" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/node-red/9IV1XLoEzLA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to node-red+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Nicholas O'Leary]

The point is eval is dangerous and its use should be discouraged - especially for new users who won't be aware of the risks it can pose.

What you haven't explained in this thread is exactly what you are proposing. You've shared an HTML page - What is it? how is it meant to be used? What problem are you trying to solve?

Nick

You received this message because you are subscribed to the Google Groups "Node-RED" group.
To unsubscribe from this group and stop receiving emails from it, send an email to node-red+u...@googlegroups.com.

[Mark Setrem]

"simpler for new users."  to do what?   

[Cornie Malan]

The learning curve for the full function node is a bit.  What I propose is a simpler node that users can use to do simple calculations, still in a sandbox.

sample with user input inside [ ]:

msg.payload = [ "gateway/"+ context.global.id + "/" + msg.topic + "/" + msg.payload ]

msg.topic = [                                                         ]

This will then use something like eval() in the sandbox making code like ( msg.payload > 30 ? "alarm" : "normal" ) possible.

It is really just suppose to be a simpler form of the function node.

c-:

On 2 January 2016 at 16:28, Mark Setrem <mse...@gmail.com> wrote:

"simpler for new users."  to do what?   

What problem are you trying to solve?

[Nicholas O'Leary]

What the node uses in the runtime is irrelevant to the end user - just because the node provides a stripped down ui does not mean the runtime side of it should use eval.

In this instance, I can see this sort of thing fitting well with the existing Change node - that already provides a succinct way to set a given property's value. In the next release it also gets a much richer set of capabilities around what values it can set - it is no longer limited to simple string values. I can see a future enhancement where the change node allows the user to provide a simple expression that will get (safely) evaluated - much like a spreadsheet function. Lots to think about it terms of what types of expression that should support... but it is the right place for it, rather than a new node.

Nick.

You received this message because you are subscribed to the Google Groups "Node-RED" group.

To unsubscribe from this group and stop receiving emails from it, send an email to node-red+u...@googlegroups.com.

[Cornie Malan]

@Nick, upgraded change node would be perfect.

I would suggest that it support valid js expressions and expression statements.

c-:

[Mark Setrem]

But you said you wanted it "simpler for new users"  I doubt that new users are going to understand the syntax of js expressions and expression statements.

Surely if you understand the js expressions and expression statements you aren't going to be put off by the function node?

[Cornie Malan]

Well at least you would also be able to simple stuff like "hello, this is message: " + msg.payload

c-:

On 3 January 2016 at 12:25, Mark Setrem <mse...@gmail.com> wrote:

But you said you wanted it "simpler for new users"  I doubt that new users are going to understand the syntax of js expressions and expression statements.

Surely if you understand the js expressions and expression statements you aren't going to be put off by the function node?

[Mark Setrem]

You might want to take a look at the template node...