堆栈内存溢出
  简体   繁体   English

限制用户可以输入的JavaScript

[英]Limit what javascript a user can input

 原文  2015-12-17 18:38:56       javascript/ angularjs/ node.js/ mean-stack

问题描述

I want to allow users to enter their own math formulas into a field that I can run via javascript, but I only want them to enter math related code and also let them have access to only the Math object. 我想允许用户在可以通过javascript运行的字段中输入自己的数学公式,但我只希望他们输入与数学相关的代码,还希望他们只能访问Math对象。

So I only want the user to be able to enter math symbols (+, -, *, %, etc) and use any function in the Math object. 因此,我只希望用户能够输入数学符号(+,-,*,%等)并使用Math对象中的任何函数。

I initially thought about using regex on the client and server to verify that they are only typing in what i allowed, and since they wont be able to run that code before it goes to the server, i thought maybe it would be OK, but I still don't know if just regex itself would even work for this. 我最初考虑在客户端和服务器上使用正则表达式来验证它们是否只输入了我所允许的内容,并且由于他们无法在服务器上运行该代码,所以我认为可能可以,但是我仍然不知道正则表达式本身是否可以解决这个问题。

How can I go about safely allowing and trusting a users input like this? 我该如何安全地允许并信任这样的用户输入?

Edit: The formulas will always run on the client, but I will store them in the db as a string that i can send to them when they want to run it. 编辑:公式将始终在客户端上运行,但是我会将它们作为字符串存储在db中,当他们想要运行它们时可以将其发送给他们。

2 个解决方案

解决方案1
 1  2015-12-17 19:59:35

So a number of comments led me to find MathJs , and from reading some of the docs and comments on that site I see it is safe to allow user input and also allows the Math object. 因此,许多评论使我找到了MathJs ,并且通过阅读该站点上的一些文档和评论,我看到允许用户输入并允许Math对象是安全的。

And combining this with workerpool to limit execution time, I think that should have everything I'm needing. 并将其与workerpool结合使用以限制执行时间,我认为应该具有我需要的一切。

Thanks to those who helped point me in the right direction! 感谢那些帮助我指出正确方向的人!

解决方案2
 0  2015-12-17 19:17:17

If you can guarantee that text will not be executed on the server then conceptually you can try evalFormula below : 如果可以保证文本不会在服务器上执行,那么从概念上讲,您可以尝试以下evalFormula 

<html>
  <head>
    <script type="text/javascript">

    function evalFormula(str) {

      // shielding 
      var window = null;  
      var document = null;

      // shortcuts
      var abs = Math.abs;

      return eval(str); 
    }

    console.log( evalFormula("abs(-42)") );    
    console.log( evalFormula("document.write('')") ); // throws error

    </script>
  </head>
<body>
</body>
</html>

Note that the function contains // shielding section that shall contain "caps" for all "dangerous" objects that shall be prohibited in formula context. 请注意,该函数包含// shielding部分,其中应包含在公式上下文中应禁止的所有“危险”对象的“上限”。 Note: that set is quite difficult to define in full but in principle possible. 注意:很难完全定义该集合,但原则上可以定义。

Local scope of the function may contain shortcuts of Math functions, so they can be used as abs(-42) but not as Math.abs(-42) . 该函数的本地范围可能包含Math函数的快捷方式,因此它们可以用作abs(-42)而不能用作Math.abs(-42)

Idea of the code above: In JS eval() gets executed in context of current function. 上面的代码思想:在JS中, eval()在当前函数的上下文中执行。 So all its local variables are available for the text being evaluated. 因此,它的所有局部变量都可用于要评估的文本。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 不使用JavaScript限制用户输入的速率 - Rate limit user input without using JavaScript 如何限制用户输入的数量? - How can I limit the user input in quantity? 限制格式化用户输入的宽度-Javascript,CSS或jQuery - Limit width of formatted user input - Javascript, CSS or jQuery 如何将输入字段中可以提交的内容限制为一组选项? - How to limit what can be submitted in an input field to an array of options? 如何限制数据列表中的用户输入? - How to limit user input in a datalist? javascript限制文字输入字符 - javascript limit text input characters 使用javascript限制输入表单中的字符 - limit characters in input form with javascript Javascript 将输入限制为特定数字 - Javascript limit input to specific numbers javascript中如何限制多次输入 - How to limit multiple input in javascript 将用户输入的输入数字限制为4位数字 - Limit the user's input in an input number to 4 digits
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM