Re^2: Sharing JS-Code on perlmonks.org

oops... wow that's much easier than what I figured out. (silly me! : )

The following code in my free nodelet loaded and executed code from my scratchpad:

<h5>embeddingtest</h5>
<!--
<script>
 function evalFrame(iframe) {
  var html =iframe.contentDocument.body.innerHTML;
  html=html.replace(/^<pre>/,"");
  html=html.replace(/<\/pre>$/,"");
  eval(html)
 }
</script>
<iframe name="embed" height=30 width=150 onload="evalFrame(this)" styl
+e="display:none" src="index.pl?abspart=1;displaytype=displaycode;node
+_id=708739;viewmode=public;part=1"></iframe>
[download]

(my example code changes the title of the window, without stopping the build up of the page like alert() does)

just some notes:

1. With my method I needed to truncate some html-code, now I realize that it's the browser who inserted this code by itself.
2. "viewmode=public;" was necessary for me because sometimes the server choosed my private scratchpad instead.
3. The extra request slows down the browser and server.
4. IMHO you don't need jQuery for XmlHttpRequests, why do you think so?

Why do you consider sharing JS-code as a risk? An intruder can only manipulate pages within the perlmonks sandbox not my online banking. IMHO using opensource software is a much higher risk...

Cheers Rolf

Comment on Re^2: Sharing JS-Code on perlmonks.org Download Code

Replies are listed 'Best First'.
Re^3: Sharing JS-Code on perlmonks.org by Corion (Patriarch) on May 19, 2009 at 10:02 UTC
I consider embedding JS from a third party source a risk because you don't control said third party - especially anybody who steals the login of said third party can then execute code as you on your machine under the security context of `perlmonks.org`, potentially wiping all your nodes or worse. If you don't want the extra request to "slow down" your browser, you can try making the request to a different domain than the "main" Perlmonks domain you're using. Alternatively, you can of course put the Javascript onto a different machine that serves static files and hence might be faster. I like jQuery because it encapsulates XmlHttpRequest into something that works with less pain than me having to dive into the incompatibilities between browsers and potentially having to write a poll loop. Also, I like the way jQuery allows DOM manipulation, hence I don't write my own Javascript for that anymore but use a library.	[reply] [d/l]
Re^4: Sharing JS-Code on perlmonks.org by LanX (Saint) on May 19, 2009 at 10:11 UTC
OK hijacking the account may be easier than manipulating sourceforge... Well, JQuery needs gzipped about 19kb, so it's by itself a candidate for an embedded external JS... But I see your point. Cheers Rolf	[reply]
Re^4: Sharing JS-Code on perlmonks.org by Anonymous Monk on Nov 26, 2010 at 10:33 UTC
For embedding JS from third parties see http://www.adsafe.org/ - Making JavaScript Safe for Advertising Related http://www.crockford.com/codecamp/ http://code.google.com/p/google-caja/ - A source-to-source translator for securing Javascript-based web content	[reply]