[WEB SECURITY] JSReg: Javascript based RegExp sandbox

gaz Heyes gazheyes at gmail.com
Fri Jul 3 17:52:17 EDT 2009


2009/7/3 Terri Oda <terri at zone12.com>

> I've been talking with some colleagues about doing something similar using
> those JS closures, but it'd be even easier if I could just use what you've
> got as a starting place, so.. Thank you!  I look forwards to poking around
> with it.


Hey Terri, I initially thought closures could be used to prevent deletion or
overwriting of native functions but I was wrong. After many different
attempts the best way I could find other than creating a string parser is to
disable dangerous properties or do the caja approach. The version that
exists at the moment is a good starting point, it allows quite a lot of
javascript and prevents dangerous assignments as well as making variables
within the local scope. If you do want to use it after looking at the code
let me know and I'll put some license on there probably ms-pl which should
be free for you to use in other projects. This is going to be a OWASP
project so if you want to get involved you're more than welcome


> Have you taken a look at Microsoft's Web Sandbox?
>
> http://websandbox.livelabs.com/
>
> It sounds superficially similar, but I haven't looked at it deeply yet.


Yeah I've looked at MS web sandbox and it is better than mine (as is caja).
They actually control javascript, CSS and HTML and verify the objects.The
reason I'm not using either on my project is that caja uses java (which I
don't think is required) and the ms sandbox requires remote inclusion or
silverlight.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090703/efb0744c/attachment.html>


More information about the websecurity mailing list