Compiling subset of JavaScript to sanitise?

[David Tinker]

Hi Everyone

I have a Java application that I need to make extensible. One way to do that would be to execute a subset of user supplied JavaScript for extensions. I was thinking that this might be possible with the Closure Compiler. Build a syntax tree for the untrusted code, check it against a whitelist of ok stuff and emit trusted JS if ok.

Is this a really stupid idea? Is it possible? Any other suggestions?

The JS code would be executed using Nashorn if that helps.

Thanks

David

[David Tinker]

Nevermind .. It seems the better approach is to run the JS code in a sandboxed environment. Looking at this: https://github.com/javadelight/delight-graaljs-sandbox

--

---
You received this message because you are subscribed to the Google Groups "Closure Compiler Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to closure-compiler-d...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/closure-compiler-discuss/810083e6-22b1-4287-aedc-b6a5685d5cb5n%40googlegroups.com.

[rish...@google.com]

It should be possible to invoke closure compiler from your java application. There is a limited documentation here -  https://github.com/google/closure-compiler/wiki/FAQ#how-do-i-call-closure-compiler-from-the-java-api.

Example usage -  http://blog.bolinfest.com/2009/11/calling-closure-compiler-from-java.html

However, the API usage in the blog post is not up to date. 

[David Tinker]

Thanks but in the end I got a sandbox going with GraalJSScriptEngine using the Delight Graal JS sandbox for inspiration. You can lock it down quite well.

You received this message because you are subscribed to a topic in the Google Groups "Closure Compiler Discuss" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/closure-compiler-discuss/yknf43zUV5U/unsubscribe.
To unsubscribe from this group and all its topics, send an email to closure-compiler-d...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/closure-compiler-discuss/deba2467-7bd6-4212-bc3f-5b1f1dd6c97bn%40googlegroups.com.