Safe user scripts?

I think about allow user to add scripts to site (for example as widgets) with Phoenix and Ecto.
Can I limit API and check if script is safe?
For example:

let data1 = 5;
let data2 = "abc";
let data = [data1, data2];
let user_script = "...";
let allowed_api = [Math]
safe_eval_script(user_script);
let user_widget = new UserScriptWidget(data, allowed_api); // Script ONLY declares one class

so when script tries to run:

windows.location.reload()

then script should throw error (window not in allowed API).
I also want to allow user script to modify only one element (with children - no parent(s), no sibling(s)).
Script should have been validated (before save), so for example there are no code outside class.
Is it possible?
(Yeah, I know that I have crazy ideas :smile:)

This doesn’t seem like it actually has anything to do with Elixir/Phoenix.

1 Like

@gon782: It’s not easy to validate JavaScript code, so there are no simple regex to mach what I need. I want to do this validation server-side - in Elixir. I know there are already HTML parsers like Floki, but I don’t have idea how to (good) parse and validate JavaScript code.

This really smells like a bad idea no matter how you look at it, XSS vulnerabilities exist to the extent you have never imagined before… probably still not helping, but are you sure you need to do this? Isn’t there any other way to achieve what you really want?

There is no way for you to magically hijack JS execution from the client and handle it server-side. JS runs client-side and even if you did make the round-trip to the server and back it’d be entirely voluntary and presumably only done via a websocket layer or the like. You wouldn’t be solving any problem you couldn’t more readily solve by doing validation client-side.

It’s not so required. I just ask if it’s possible. If it will be really needed I could add mechanism to allow verify it as admin.
I want to allow extend site and optionally share script for other users (here validation needed). I can also let user to save script without validation and therefore sharing.
There are lots of sites that allow upload CSS files. Style tag can have scoped element (currently supported in FIrefox), so it will not affect all elements on site.
I was think for something similar for JavaScript, but validate it in client side and send file after it is not safe, so I asked about JavaScript code validation in Elixir + limit JavaScript API in client-side.

There’s tools that do just that: http://stackoverflow.com/a/12549277/

But I think it would be a lot less work to just sandbox the code in the browser e.g. https://github.com/asvd/jailed

Caja - not - it’s for all (html, css, javascript) - I only javascript (I will create tag and put contents or set url for script)
AdSafe - I have a problem in setup it
but
Jailed is 99,(9)% what I want. Yes sandbox option is really good. They added similar code to my (pass data and call by path). I need only to test what would happen if I pass DOM element (I don’t want to access parents) - it’s 0.(0)1% I don’t checked yet.
Edit: I see they linked to sandboxed iframe tutorial - yes that could work.
Really thanks!