[x3d-public] good example for ECMAScripting and Protos?

Leonard Daly Leonard.Daly at realism.com
Mon Aug 6 10:56:56 PDT 2018


[Removed X3DOM mailing list because the message applies to X3D in 
general and not X3DOM.]

There has been several mentions over that last many months about using 
eval to process code in the browser. Sometimes the code is JSON, other 
times the code is JavaScript (sometimes HTML5 JavaScript, others X3D 
ECMAScript).

I do not recall seeing any discussion of potential security issues when 
'eval'ing code.

If the string is JSON, then the proper way to convert the JSON string to 
internal data structure is with JSON.parse (e.g., see 
https://www.w3schools.com/js/js_json_parse.asp). This built-in method 
ensures that no code is executed and only data structures are created.

eval() is a dangerous function.

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#Do_not_ever_use_eval!

Any library that provides the ability to execute uncontrolled code is 
really asking for trouble and probably will not be allowed in any 
corporate environment. Any X3D solution that requires the use of eval() 
for user code needs to be re-thought to develop a solution without that 
requirement -- either explicitly stated or required because no other 
solution to the requirements is possible.


Leonard Daly




> I am interested in the fields, specifically getting scengraph values 
> out of SFNodes which are in fields. I can call the script node 
> mooluckpooluck when I insert it into DOM, let’s just decide on 
> something and add it to both X_ITE and X3DOM. X_ITE already uses 
> eval.  Are we going to make that magically disappear, if so, how?   
> Let’s hop skip jump to it if it has to go through W3C.
>
> John
>
> On Mon, Aug 6, 2018 at 1:32 AM John Carlson <yottzumm at gmail.com 
> <mailto:yottzumm at gmail.com>> wrote:
>
>     I don’t care if the script tag is called mooluckpooluck or if
>     there is a conflict.  I’m working in the JSON environment, so the
>     rules are somewhat different.   What I am concerned about is
>     getting my arrays converted to arrays and not strings.
>
>     On Mon, Aug 6, 2018 at 1:19 AM John Carlson <yottzumm at gmail.com
>     <mailto:yottzumm at gmail.com>> wrote:
>
>         Leonard, I agree my approach may not work in all environments.
>
>         Determining a valid or invalid mime type is extremely
>         difficult if done semantically, but extremely easy if done
>         syntactically.  My guess is that many of the X3D tags are
>         semantically invalid, unless someone has added them to Apache.
>         I do not know the status of this.   I have to add mine types
>         to my server for every new extension I add.  It is not a that
>         big of a deal.
>
>         One may not need a script tag around X3D script to execute X3D
>         script.  One may use eval in a script tag.   One may make
>         script inconsequential by making the scripts only functions,
>         and move the functions to a string which is evaled. 
>         Essentially you are parsing twice.
>
>         If we want script fields handled by X3DOM, we will have to
>         find someway to bring them into X3DOM.  X_ITE has shown the
>         way.   We can take other approaches than X3DOM, like straight
>         DOM.  I am beginning to think this is preferable,  but using
>         DEF to find node which aren’t in the scenegraph has kind of
>         been, wtf?
>
>         The question has become “Are DEFed SFNodes valid scenegraph
>         objects if they are in fields?” This may show a failing of
>         X3DOM, which may need to be corrected.  I can probably find
>         the scengraph object using USE, but I really want to use DEF.
>           Can someone show me how to do it in the HTML5 environment?
>
>         John
>         On Mon, Aug 6, 2018 at 12:24 AM Leonard Daly
>         <Leonard.Daly at realism.com <mailto:Leonard.Daly at realism.com>>
>         wrote:
>
>             I am replying to an early message in this thread, but I
>             hope to capture comments from all messages in the thread.
>             My comments only apply to the web browser (HTML5) environment.
>
>             First, any Script tag (in any case) will be handled by the
>             web browser, and the web browser will parse content before
>             anything else. If you really need to independently parse
>             some tags, you will need to "read" it into a JavaScript
>             variable and handle it that way. If it's in the page file,
>             it will be parsed.
>
>             There was a suggestion to use "text/x3dscript" or some
>             other string. The W3C has something to say about this at
>             https://www.w3.org/TR/html5/scripting-1.html#the-script-element.
>             The value of the type attribute must either be
>
>              1. omitted
>              2. JavaScript MIME type
>              3. "module"
>              4. any other valid mime type
>
>             So the use of an invalid MIME type is not technically
>             valid HTML. This may cause a problem with some browsers or
>             validators; or present future problems if that string is
>             ever defined to have a particular meaning.
>
>             X3DOM does not have X3D scripting. If you need scripting
>             to correctly process an X3DOM environment; then you need
>             to do it in HTML5 Javascript. X3DOM does not process the
>             Script tag, that is done by HTML5. While X3DOM parser
>             could recognize that tag, it does not; hence, none of the
>             X3DOM methods are available to handle interactions on a
>             Script node (a Script tag parsed into DOM).
>
>             The X3D Script / HTML5 Script tag name conflict is a
>             long-standing and known issue. To my knowledge no work has
>             been done to break the conflict.
>
>             Leonard Daly
>
>
>
>
>
>>             Here’s my current code for clearing the ECMAScript out of
>>             a X3D file so that it doesn’t show on the screen:
>>
>>             $(selector+" Script").contents().filter(function () {
>>
>>             return this.nodeType === 3 || this.nodeType === 4;
>>
>>             }).remove();
>>
>>             This retains the fields.  I may change my code to work
>>             with fields instead of parsing out the fields into
>>             properties (but directOutput is nice).  This would mean
>>             that X3DOM has to route to and from the script fields (is
>>             this possible?).
>>
>>             John
>>
>>             Sent from Mail
>>             <https://go.microsoft.com/fwlink/?LinkId=550986> for
>>             Windows 10
>>
>>             *From: *John Carlson <mailto:yottzumm at gmail.com>
>>             *Sent: *Saturday, August 4, 2018 4:56 AM
>>             *To: *vmarchetti at kshell.com
>>             <mailto:vmarchetti at kshell.com>; X3D-Public
>>             <mailto:x3d-public at web3d.org>; x3dom mlist
>>             <mailto:x3dom-users at lists.sourceforge.net>; Andreas
>>             Plesch <mailto:andreasplesch at gmail.com>
>>             *Subject: *RE: [x3d-public] good example for
>>             ECMAScripting and Protos?
>>
>>             I have a problem with this file in X3DOM, because as far
>>             as I can tell, the SFNode fields (the node, not the
>>             field) do not have getFieldValue for point etc. as a
>>             function, for example (but one can double check me). In
>>             other words, I don’t think this node is an X3DOM node.
>>
>>             Thus I cannot take a reasonable length in the script. 
>>             One would have to parse the string.
>>
>>
>>             That’s as clear as I can get.  I think this might be
>>             because x3dom does not process scripts correctly. We
>>             would need a script tag handler, and a field handler
>>             inside that.
>>
>>             Can you help Andreas?  I’ve created a script tag before,
>>             but that code is lost. It might be in my GitHub
>>             repository somewhere, not sure.
>>
>>             We just need a script tag that has fields, but doesn’t
>>             execute its CDATA section.  I am pretty sure
>>
>>             How is V4.0 handling this?
>>
>>             Alternatively, I can change my nodeUtil code to look at
>>             the type and do the right thing converting a string to
>>             the correct type. Suggestions are welcome.
>>
>>             Thanks for the great example, Vince,
>>
>>             Should I adapt my code to deal with this failing in
>>             X3DOM, or should we change X3DOM?
>>
>>             John
>>
>>             Sent from Mail
>>             <https://go.microsoft.com/fwlink/?LinkId=550986> for
>>             Windows 10
>>
>>             *From: *vmarchetti at kshell.com <mailto:vmarchetti at kshell.com>
>>             *Sent: *Wednesday, August 1, 2018 9:04 PM
>>             *To: *John Carlson <mailto:yottzumm at gmail.com>;
>>             X3D-Public <mailto:x3d-public at web3d.org>
>>             *Subject: *Re: [x3d-public] good example for
>>             ECMAScripting and Protos?
>>
>>             See
>>
>>             http://www.kshell.com/pages/pointcloudvisualization/SphereDirectedPointSet.x3d
>>
>>             It is a X3D file with with a Prototype + ecmascript
>>             definition of a point cloud, with a vector attached to
>>             each point of the cloud.
>>
>>             Example used is just points randomly distributed on
>>             sphere with directs pointed radially outward.
>>
>>             Potential uses would be to implement the scanning design
>>             pattern at
>>             http://x3dgraphics.com/examples/X3dForAdvancedModeling/Scanning/X3dMeshDesignPatternIndex.html
>>             , or
>>
>>             visualizing fluid flow or  electromagnetic field
>>
>>                 On Jul 31, 2018, at 10:30 PM, John Carlson
>>                 <yottzumm at gmail.com> <mailto:yottzumm at gmail.com> wrote:
>>
>>                 Is there a good example of ECMAScripting in X3D that
>>                 I can use to test my X3D JSON ECMAScript
>>                 preprocessor?  Preferably with Protos
>>
>>                 Thanks!
>>
>>                 John
>>
>>                 _______________________________________________
>>                 x3d-public mailing list
>>                 x3d-public at web3d.org <mailto:x3d-public at web3d.org>
>>                 http://web3d.org/mailman/listinfo/x3d-public_web3d.org
>>
>>
>>
>>             _______________________________________________
>>             x3d-public mailing list
>>             x3d-public at web3d.org <mailto:x3d-public at web3d.org>
>>             http://web3d.org/mailman/listinfo/x3d-public_web3d.org
>
>
>             -- 
>             *Leonard Daly*
>             3D Systems & Cloud Consultant
>             LA ACM SIGGRAPH Past Chair
>             President, Daly Realism - /Creating the Future/
>

-- 
*Leonard Daly*
3D Systems & Cloud Consultant
LA ACM SIGGRAPH Past Chair
President, Daly Realism - /Creating the Future/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://web3d.org/pipermail/x3d-public_web3d.org/attachments/20180806/d06e6f05/attachment-0001.html>


More information about the x3d-public mailing list