[x3d-public] Interesting Example; Script source code CDATA escaping,references

Don Brutzman brutzman at nps.edu
Mon Jun 20 16:29:03 PDT 2016


On 6/20/2016 3:47 PM, John Carlson wrote:
> If I recall correctly, I cannot even use CDATA in XHTML.

For the stylesheet conversions, I include CDATA within X3D Script nodes within .xhtml pages using X3DOM.

>  So that leaves text nodes...or are there things called script nodes?

Yes text elements.  No HTML Script elements in DOM.

> Thanks for advice about try catch...if I don't have it I will add it.

Very good.   Hmm, we should probably add links for Javascript security considerations to

	X3D Resources: Security
	http://www.web3d.org/x3d/content/examples/X3dResources.html#Security

I found the following:

	http://www.veracode.com/security/javascript-security

	https://www.sitepoint.com/importance-client-side-javascript-security/

	http://stackoverflow.com/questions/3793246/javascript-security-risks

	http://security.stackexchange.com/questions/94017/what-are-the-security-issues-with-eval-in-javascript

	http://www.slideshare.net/orysegal/clientside-javascript-vulnerabilities

	http://www.howtocreate.co.uk/tutorials/javascript/security

Any recommendations?  Aware of anything authoritative?



> On Jun 20, 2016 10:57 AM, "Don Brutzman" <brutzman at nps.edu <mailto:brutzman at nps.edu>> wrote:
>
>     On 6/18/2016 1:32 PM, John Carlson wrote:
>
>         Yes, but what do I do for HTML/HTML5?  I know I can use CDATA with XML.  Should I make my users all use XHTML and force the point?  It might help…
>
>
>     Using CDATA to wrap and protect text from escaping is a helpful technique, for authors and for generators.
>
>     Using CDATA is not ever required, since if you apply escapes correctly you don't need it.  However, getting there can be tricky.  Further, source-code blocks like (a < b) are not very portable/readable/searchable.
>
>     Meanwhile, interestingly, the HTML5 Recommendation says that use of CDATA sections are limited in the HTML Syntax.
>
>             8.1.5 CDATA sections
>             https://www.w3.org/TR/html5/syntax.html#cdata-sections
>             "CDATA sections can only be used in foreign content (MathML or SVG)."
>
>          Right now, I am putting the CDATA stuff in a text node.  I could leave off the CDATA stuff too and use just a text node with no CDATA annotation.
>
>
>     yes, variety of choices.
>
>         I can take script entirely out of the question, and eval them, so they don’t appear in the DOM.  I think that may create a separate namespace, not sure.
>
>
>     Using eval() for javascript evaluation of scripts is considered a very risky practice, correct?  Do you have an exception catcher or  safety net around such a step?
>
>         Thanks,
>
>
>
>         John
>
>
>
>         Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=550986> for Windows 10
>
>
>
>         *From: *Don Brutzman <mailto:brutzman at nps.edu <mailto:brutzman at nps.edu>>
>         *Sent: *Saturday, June 18, 2016 11:43 AM
>         *To: *John Carlson <mailto:yottzumm at gmail.com <mailto:yottzumm at gmail.com>>; Roy Walmsley <mailto:roy.walmsley at ntlworld.com <mailto:roy.walmsley at ntlworld.com>>
>         *Cc: *Holger Seelig <mailto:holger.seelig at yahoo.de <mailto:holger.seelig at yahoo.de>>; x3d-public at web3d.org <mailto:x3d-public at web3d.org> <mailto:x3d-public at web3d.org <mailto:x3d-public at web3d.org>>
>         *Subject: *Re: Interesting Example; Script source code CDATA escaping,references
>
>
>
>         Sounds great, looks like what you have should work.  You might also want to check on ampersand (&, &) escaping.
>
>
>
>         This is why it is good practice in XML encoding to wrap any javascript source within a Script node inside a CDATA block.  CDATA "character data" means the xml/xhtml parser must avoid escaping any characters like < into < etc.
>
>
>
>         Examples and references follow.
>
>
>
>         From X3D specification ISO/IEC 19776-1 XML encoding:
>
>
>
>         6.2.179 Script
>
>         http://www.web3d.org/documents/specifications/19776-1/V3.3/Part01/EncodingOfNodes.html#Script
>
>         ========================================================
>
>         <Script  DEF=""
>
>                         USE=""
>
>                         directOutput="false"
>
>                         mustEvaluate="false"
>
>                         url=' '
>
>                         containerField="children"
>
>
>
>             <IS> <connect nodeField="" protoField=""/> </IS>
>
>             <field name="" type="" accessType="" value=""/>
>
>             <![CDATA[
>
>                ecmascript:
>
>                // contained script code here (if any)
>
>             ]]>
>
>         </Script>
>
>         ========================================================
>
>
>
>         and
>
>
>
>         4.3.13 Encapsulating Script node code
>
>         http://www.web3d.org/documents/specifications/19776-1/V3.3/Part01/concepts.html#EncapsulatingScriptNodeCode
>
>         ========================================================
>
>         Code for scripts should not be placed so as to be parsed by XML parsers. Therefore, such code should be encapsulated to avoid such parsing. The preferred method to encapsulate source code in a Script node is to wrap it in a child CDATA construct following the <field/> and <IS><connect/></IS> definitions. The CDATA construct (see 2.[XML]) ensures that all contained characters are treated literally without further escaping or modification.
>
>
>
>         If both a url field and a CDATA clause are encountered, the url field is processed first. Thus, the CDATA construct can also be considered equivalent to one additional value appended to the url MFString array. This ordering allows an online script code url to take priority over fallback default script code in the CDATA construct. This ordering also allows run-time updates if a viewer is connected to the network, if so desired by the originating author.
>
>
>
>         EXAMPLE  The following example demonstrates the use of a CDATA construct within a Script node:
>
>
>
>              <Script directOutput='true'>
>
>                <field name='ROOT' type='SFNode' accessType='initializeOnly'>
>
>                  <Transform USE='ROOT'/>
>
>                </field>
>
>              <![CDATA[
>
>
>
>                javascript:
>
>
>
>                function R ()
>
>                {
>
>                  return Math.random();
>
>                }
>
>
>
>                function initialize()
>
>                {
>
>                  for (i=0; i < 10; i++)
>
>                  {
>
>                    rand1 = 100*R();
>
>                    rand2 = 100*R();
>
>                    rand3 = 20*R();
>
>                    rand4 = 40*R();
>
>                    rand5 = 20*R();
>
>                    string =
>
>                      'Transform {' +
>
>                      '  translation ' + rand1 + ' 0 ' + rand2 +
>
>                      '  children [' +
>
>                      '    Shape {' +
>
>                      '      appearance Appearance {' +
>
>                      '        material Material {' +
>
>                      '          diffuseColor ' + R() + ' ' + R() + ' ' + R() +
>
>                      '        }' +
>
>                      '      }' +
>
>                      '      geometry Box {' +
>
>                      '        size ' + rand3 + ' ' + rand4 + ' ' + rand5 +
>
>                      '      }' +
>
>                      '    }' +
>
>                      '  ]' +
>
>                      '}';
>
>                      newNode = Browser.createVrmlFromString(string);
>
>                      ROOT.children[i] = newNode[0];
>
>                }
>
>              }
>
>
>
>              ]]>
>
>              </Script>
>
>         ========================================================
>
>
>
>         Additional references:
>
>
>
>         X3D Scene Authoring Hints: Scripts
>
>         http://www.web3d.org/x3d/content/examples/X3dSceneAuthoringHints.html#Scripts
>
>
>
>         X3D Tooltips: Scripts
>
>         http://www.web3d.org/x3d/content/X3dTooltips.html#Script
>
>
>
>         X3D Example Archives: X3D for Web Authors, Chapter 09 - Event Utilities Scripting
>
>         http://x3dgraphics.com/examples/X3dForWebAuthors/Chapter09-EventUtilitiesScripting
>
>
>
>         X3D for Web Authors, chapter 9
>
>
>
>         X3D for Web Authors, slideset, Event Utilities and Scripting (106 slides)
>
>         http://x3dgraphics.com/slidesets/X3dForWebAuthors/Chapter09-EventUtilitiesScripting.pdf
>
>         (note first half of document is just presentation slides, second half is slides + annotations)
>
>
>
>
>
>         Course videos: Event Utilities, Scripting
>
>
>
>         https://www.youtube.com/playlist?list=PLuSIsM-86sik26mcDz0w_wdFXOUp56FTr
>
>         https://www.movesinstitute.org/Video/Courses/X3dForWebAuthors/X3dForWebAuthorsVideo.html#9
>
>
>
>
>
>         On 6/18/2016 3:25 AM, John Carlson wrote:
>
>             Okay, I was able to make gears.json work with the X3D JSON Loader and the server side proto expander with cobweb.  I may have to work on the client side prototype expander some more to make it work with X3DOM (likely it’s a script issue  instead).
>
>
>
>
>
>
>
>
>             What I did was replace < and > before sending to CreateX3DFromString, avoiding any web browser interpretation.
>
>
>
>
>
>
>
>
>             John
>
>
>
>
>
>
>
>
>             Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=550986> for Windows 10
>
>
>
>
>
>
>
>
>             *From: *John Carlson <mailto:yottzumm at gmail.com <mailto:yottzumm at gmail.com>>
>
>
>             *Sent: *Saturday, June 18, 2016 3:42 AM
>
>
>             *To: *Roy Walmsley <mailto:roy.walmsley at ntlworld.com <mailto:roy.walmsley at ntlworld.com>>; Don Brutzman <mailto:brutzman at nps.edu <mailto:brutzman at nps.edu>>
>
>
>             *Cc: *Holger Seelig <mailto:holger.seelig at yahoo.de <mailto:holger.seelig at yahoo.de>>; x3d-public at web3d.org <mailto:x3d-public at web3d.org> <mailto:x3d-public at web3d.org <mailto:x3d-public at web3d.org>>
>
>
>             *Subject: *RE: Interesting Example
>
>
>
>
>
>
>
>
>             Okay, I figured out why the X3D JSON Loader wouldn’t load it. When I serialize the JSON to XML, the < and > get converted to < and >.  These are not valid to VRMLScript?  I am not sure.  I will try to do a replacement.  I think the best thing to do may be to create a CDATA Section instead of a text node, but I’m not ready to do that (doesn’t work with HTML, I’d say off the cuff).
>
>
>
>
>
>
>
>
>             I do have this, which appears to be partially working:
>
>
>
>
>
>
>
>
>                     // Fix CDATA sections
>
>
>
>
>                     xmlstr = xmlstr.replace(/<!\[CDATA\[/g, "<![CDATA[");
>
>
>
>
>                     xmlstr = xmlstr.replace(/\]\]>/g, "]]>");
>
>
>
>
>                     do {
>
>
>
>
>                             var xmlstr2 = xmlstr;
>
>
>
>
>                             xmlstr = xmlstr2.replace(/(\<\!\[CDATA\[(.|\n)*)<((.|\n)*\]\]\>)/gi, "$1<$3");
>
>
>
>
>                     } while (xmlstr !== xmlstr2);
>
>
>
>
>                     do {
>
>
>
>
>                             xmlstr2 = xmlstr;
>
>
>
>
>                             xmlstr = xmlstr2.replace(/(\<\!\[CDATA\[(.|\n)*)>((.|\n)*\]\]\>)/gi, "$1>$3");
>
>
>
>
>                     } while (xmlstr !== xmlstr2);
>
>
>
>
>
>
>
>
>             John
>
>
>
>
>
>
>
>
>             Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=550986> for Windows 10
>
>
>
>
>
>
>
>
>             *From: *John Carlson <mailto:yottzumm at gmail.com <mailto:yottzumm at gmail.com>>
>
>
>             *Sent: *Saturday, June 18, 2016 3:15 AM
>
>
>             *To: *Roy Walmsley <mailto:roy.walmsley at ntlworld.com <mailto:roy.walmsley at ntlworld.com>>; Don Brutzman <mailto:brutzman at nps.edu <mailto:brutzman at nps.edu>>
>
>
>             *Cc: *Holger Seelig <mailto:holger.seelig at yahoo.de <mailto:holger.seelig at yahoo.de>>; x3d-public at web3d.org <mailto:x3d-public at web3d.org> <mailto:x3d-public at web3d.org <mailto:x3d-public at web3d.org>>
>
>
>             *Subject: *RE: Interesting Example
>
>
>
>
>
>
>
>
>             This example has a lot of scripting, and I doubt if my prototype expander is up to dealing with scripts yet.  If we could get
>
>
>
>
>             a version without scripts, I could try loading it.  As it is, even without the prototype expander, the X3D JSON Loader will not load gears.json, even with a Cobweb renderer.  Something to work on.
>
>
>
>
>
>
>
>
>             Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=550986> for Windows 10
>
>
>
>
>
>
>
>
>             *From: *Roy Walmsley <mailto:roy.walmsley at ntlworld.com <mailto:roy.walmsley at ntlworld.com>>
>
>
>             *Sent: *Friday, June 17, 2016 6:32 AM
>
>
>             *To: *John Carlson <mailto:yottzumm at gmail.com <mailto:yottzumm at gmail.com>>; Don Brutzman mailto:brutzman at nps.edu <mailto:brutzman at nps.edu>>
>
>
>             *Cc: *Holger Seelig <mailto:holger.seelig at yahoo.de <mailto:holger.seelig at yahoo.de>>; x3d-public at web3d.org <mailto:x3d-public at web3d.org> <mailto:x3d-public at web3d.org <mailto:x3d-public at web3d.org>>
>
>
>             *Subject: *Interesting Example
>
>
>
>
>
>
>
>
>             Hi,
>
>
>
>
>
>
>
>
>             I have come across an interesting example, relating to the use of Scripts/Prototypes.
>
>
>
>
>
>
>
>
>             It is on the Cobweb site at http://titania.create3000.de/cobweb/. Scroll down to examples, navigate to Page 3 of the Examples list, and choose “Gears”.
>
>
>
>
>
>
>
>
>             This example is also available on Holger’s GitHub site at https://github.com/create3000/Library/tree/master/Examples/Gears. There are four files, of which two are XML encoded X3D. The file Rotor.x3d supplies a prototype declaration that is used within gears.x3d.
>
>
>
>
>
>
>
>
>             Try opening the file gears.x3d in different browsers!
>
>
>
>
>
>
>
>
>             I don’t know how you would get on with this one, John, in your prototype expander.
>
>
>
>
>
>
>
>
>             Roy
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>         all the best, Don
>
>         --
>
>         Don Brutzman  Naval Postgraduate School, Code USW/Br       brutzman at nps.edu <mailto:brutzman at nps.edu>
>
>         Watkins 270,  MOVES Institute, Monterey CA 93943-5000 USA   +1.831.656.2149 <tel:%2B1.831.656.2149>
>
>         X3D graphics, virtual worlds, navy robotics http://faculty.nps.edu/brutzman
>
>
>
>
>
>     all the best, Don
>     --
>     Don Brutzman  Naval Postgraduate School, Code USW/Br       brutzman at nps.edu <mailto:brutzman at nps.edu>
>     Watkins 270,  MOVES Institute, Monterey CA 93943-5000 USA   +1.831.656.2149 <tel:%2B1.831.656.2149>
>     X3D graphics, virtual worlds, navy robotics http://faculty.nps.edu/brutzman
>


all the best, Don
-- 
Don Brutzman  Naval Postgraduate School, Code USW/Br       brutzman at nps.edu
Watkins 270,  MOVES Institute, Monterey CA 93943-5000 USA   +1.831.656.2149
X3D graphics, virtual worlds, navy robotics http://faculty.nps.edu/brutzman



More information about the x3d-public mailing list