TechQA.

What's the safest way to allow JavaScript written on the client, to be executed on the server?

149 views Asked by At

I would like to allow our users to write string parsing logic in JavaScript, that would then be executed on the server.

Edit (more info):

  • Regex is not an option as they will need if, else, switch etc
  • I would like to avoid creating a custom language
  • The idea is if the user knows JS they can write custom logic

I have looked at Stopping Infinite Loops by CodePen where they generate an Abstract Syntax Tree using Esprima and then regenerate the JavaScript we use Escodegen. What worries me with that approach is that someone could still introduce some kind of Unicode hack.

javascript node.js abstract-syntax-tree esprima escodegen
Original Q&A
2

There are 2 answers

2
georg On

The safest way would be to create your own parser/interpreter for some subset of javascript (or any other scripting language), or your own domain-specific lang. It's a lot of work, but still much easier and more secure than maintaining a sandboxed javascript VM on the server and communicating with it.

0
Eriks Klotins On

An idea:

  1. users write their custom functions on a webpage

  2. webpage fetches data from the server

  3. the custom function is applied on the data on client side

  4. results are sent back to the server (make sure the results are not compromised)

Related Questions in JAVASCRIPT

Related Questions in NODE.JS

Related Questions in ABSTRACT-SYNTAX-TREE

Related Questions in ESPRIMA

Related Questions in ESCODEGEN

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions