Re: [Caja] sanitized eval with Caja

16 views
Skip to first unread message

Mark Miller

unread,
Jan 7, 2019, 2:59:09 PM1/7/19
to Google Caja Discuss, SES Strategy, fr...@googlegroups.com, cap-...@googlegroups.com, Discussion of E and other capability languages
We have set up a Discourse site at https://ocapjs.org/ for discussing object-capabilities (ocaps) for JavaScript. I suggest that further discussion on this topic should move there.



On Mon, Jan 7, 2019 at 11:51 AM Mark Miller <eri...@gmail.com> wrote:
Hi Yehonathan,

From your description, I suspect you want the SES library at https://github.com/Agoric/SES rather than Caja.

Caja contains the original-SES, which still works fine, but mostly supports only the features from EcmaScript 5 with a few select elements of EcmaScript 6.

SES is built on modern JavaScript and supports modern JavaScript --- including all of the EcmaScript 2018 standard. It is also much faster than the original-SES in Caja. SES is a joint effort of Agoric and Salesforce. Unlike Caja, SES runs everywhere modern JavaScript runs, including both browser and Node. See

OTOH, Caja contains Domado, which is a taming of the browser and DOM APIs, so that you can give your untrusted code access to a subtree of you DOM tree. We expect to reproduce this functionality eventually on modern SES but, currently, we are not treating it as urgent. If you need Domado functionality in order to use SES rather than Caja, please let us know.



On Mon, Jan 7, 2019 at 8:19 AM Mike Stay <meta...@gmail.com> wrote:
Yes, this is what Caja was designed to do.  You may not need all of
Caja, though.  Can you tell us more about what you'd like to allow
them to do?

On Mon, Jan 7, 2019 at 8:32 AM Yehonathan Sharvit <vie...@gmail.com> wrote:
>
> Hello Caja folks,
>
> I'd like to allow users to eval javascript code snippets on my website.
> But eval is too dangerous.
>
> I was thinking of using Caja to provide a sanitized version of eval.
>
> Is it possible with caja to evaluate dynamic code snippets provided by users?
> If yes, how?
>
> Thanks,
> Yehonathan
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to google-caja-dis...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.



--
Mike Stay - meta...@gmail.com
http://math.ucr.edu/~mike
https://reperiendi.wordpress.com

--

---
You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-caja-dis...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


--
  Cheers,
  --MarkM


--
  Cheers,
  --MarkM
Reply all
Reply to author
Forward
0 new messages