[x3d-public] good example for ECMAScripting and Protos?

John Carlson yottzumm at gmail.com
Mon Aug 6 11:45:12 PDT 2018


This is the main reason why I have not introduced anything into X3DOM or X_ITE which uses eval.  Thanks for the heads up and the link Leonard, will look into using Function to execute ECMAScript in X3DJSONLD—X3DJSONLD is still very much a prototype when dealing with Scripts.  Can you discuss uses of eval with Holger, Andreas?  The use of a scope with eval in X_ITE is similar to Function perhaps?  I need to read more.

One thing that comes to mind right away for X3DJSONLD is the ability to execute ROUTEs to and from scripts.  For each eval or Function call on things which do routing, how do I share the Function or eval scope? I guess I need to put the event loop in the local Function scope instead of in the global scope. Hmm.

In particular, if you are using Scripts.js or loadScripts in X3DJSONLD, you should make sure your ECMAScript does not have security holes.  Plus that, just to let you know, I am modifying the ECMAScript being sent to eval, so the script you currently send in JSON and X3D is not your own, it’s a cobbled together way to handle stuff with Proto’s and script events.  If you are concerned, see Script.js

I will be working on creating a Function equivalent, but if someone wants to look at loadScripts in Script.js, this is where I do the evals, that would be most welcome.

https://github.com/coderextreme/X3DJSONLD/blob/master/src/main/node/Script.js

X3DJSONLD has the following warning in the README.md:

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------
• WARNING
You should not put up index.html from the X3D JSON Loader found here https://github.com/coderextreme/X3DJSONLD/ and here http://coderextreme.net/X3DJSONLD/ without careful consideration of this:
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
In particular, I am choosing tags, attribute names, and attributes right out of the JSON and XML with limited filtering or checking (just checking JSON schema, which may be ignored). You should validate any JSON or XML being loaded into the X3D JSON Loader (yes I know it’s problematic). In particular, if you store XML or JSON from untrusted sources and display them in the Loader, it’s likely you will get an XSS attack. Please sanitize all input from untrusted source and make sure it’s valid. We don’t currently have XML Schema or XML Schematron for JSON data yet. We do have JSON schema, but it doesn't test scripts.
It’s in the license that I will not be liable for damages. Please use my software with care. I am not a security researcher.
If someone wants me to write a sanitizer for the X3D JSON Loader, I am willing to for $$$. I will need to run it by some security researchers.

I will consider putting a warning about eval soon, if I can’t get rid of eval.


John

Sent from Mail for Windows 10

From: Leonard Daly
Sent: Monday, August 6, 2018 1:56 PM
To: John Carlson
Cc: Andreas Plesch; Vincent Marchetti; X3D-Public
Subject: Re: [x3d-public] good example for ECMAScripting and Protos?

[Removed X3DOM mailing list because the message applies to X3D in general and not X3DOM.]

There has been several mentions over that last many months about using eval to process code in the browser. Sometimes the code is JSON, other times the code is JavaScript (sometimes HTML5 JavaScript, others X3D ECMAScript). 

I do not recall seeing any discussion of potential security issues when 'eval'ing code. 

If the string is JSON, then the proper way to convert the JSON string to internal data structure is with JSON.parse (e.g., see https://www.w3schools.com/js/js_json_parse.asp). This built-in method ensures that no code is executed and only data structures are created.

eval() is a dangerous function. 

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#Do_not_ever_use_eval!

Any library that provides the ability to execute uncontrolled code is really asking for trouble and probably will not be allowed in any corporate environment. Any X3D solution that requires the use of eval() for user code needs to be re-thought to develop a solution without that requirement -- either explicitly stated or required because no other solution to the requirements is possible.


Leonard Daly



I am interested in the fields, specifically getting scengraph values out of SFNodes which are in fields.  I can call the script node mooluckpooluck when I insert it into DOM, let’s just decide on something and add it to both X_ITE and X3DOM. X_ITE already uses eval.  Are we going to make that magically disappear, if so, how?   Let’s hop skip jump to it if it has to go through W3C.

John

On Mon, Aug 6, 2018 at 1:32 AM John Carlson <yottzumm at gmail.com> wrote:
I don’t care if the script tag is called mooluckpooluck or if there is a conflict.  I’m working in the JSON environment, so the rules are somewhat different.   What I am concerned about is getting my arrays converted to arrays and not strings.

On Mon, Aug 6, 2018 at 1:19 AM John Carlson <yottzumm at gmail.com> wrote:
Leonard, I agree my approach may not work in all environments.

Determining a valid or invalid mime type is extremely difficult if done semantically, but extremely easy if done syntactically.  My guess is that many of the X3D tags are semantically invalid, unless someone has added them to Apache.   I do not know the status of this.   I have to add mine types to my server for every new extension I add.  It is not a that big of a deal.

One may not need a script tag around X3D script to execute X3D script.  One may use eval in a script tag.   One may make script inconsequential by making the scripts only functions, and move the functions to a string which is evaled.  Essentially you are parsing twice.

If we want script fields handled by X3DOM, we will have to find someway to bring them into X3DOM.  X_ITE has shown the way.   We can take other approaches than X3DOM, like straight DOM.  I am beginning to think this is preferable,  but using DEF to find node which aren’t in the scenegraph has kind of been, wtf?

The question has become “Are DEFed SFNodes valid scenegraph objects if they are in fields?” This may show a failing of X3DOM, which may need to be corrected.  I can probably find the scengraph object using USE, but I really want to use DEF.   Can someone show me how to do it in the HTML5 environment?

John
On Mon, Aug 6, 2018 at 12:24 AM Leonard Daly <Leonard.Daly at realism.com> wrote:
I am replying to an early message in this thread, but I hope to capture comments from all messages in the thread. My comments only apply to the web browser (HTML5) environment.

First, any Script tag (in any case) will be handled by the web browser, and the web browser will parse content before anything else. If you really need to independently parse some tags, you will need to "read" it into a JavaScript variable and handle it that way. If it's in the page file, it will be parsed.

There was a suggestion to use "text/x3dscript" or some other string. The W3C has something to say about this at https://www.w3.org/TR/html5/scripting-1.html#the-script-element. The value of the type attribute must either be
1. omitted
2. JavaScript MIME type
3. "module"
4. any other valid mime type
So the use of an invalid MIME type is not technically valid HTML. This may cause a problem with some browsers or validators; or present future problems if that string is ever defined to have a particular meaning.
X3DOM does not have X3D scripting. If you need scripting to correctly process an X3DOM environment; then you need to do it in HTML5 Javascript. X3DOM does not process the Script tag, that is done by HTML5. While X3DOM parser could recognize that tag, it does not; hence, none of the X3DOM methods are available to handle interactions on a Script node (a Script tag parsed into DOM).
The X3D Script / HTML5 Script tag name conflict is a long-standing and known issue. To my knowledge no work has been done to break the conflict. 
Leonard Daly



Here’s my current code for clearing the ECMAScript out of a X3D file so that it doesn’t show on the screen:
 
 
                       $(selector+" Script").contents().filter(function () {
                            return this.nodeType === 3 || this.nodeType === 4;
                       }).remove();
 
This retains the fields.  I may change my code to work with fields instead of parsing out the fields into properties (but directOutput is nice).  This would mean that X3DOM has to route to and from the script fields (is this possible?).
 
John
Sent from Mail for Windows 10
 
From: John Carlson
Sent: Saturday, August 4, 2018 4:56 AM
To: vmarchetti at kshell.com; X3D-Public; x3dom mlist; Andreas Plesch
Subject: RE: [x3d-public] good example for ECMAScripting and Protos?
 
I have a problem with this file in X3DOM, because as far as I can tell, the SFNode fields (the node, not the field) do not have getFieldValue for point etc. as a function, for example (but one can double check me).  In other words, I don’t think this node is an X3DOM node.
 
Thus I cannot take a reasonable length in the script.  One would have to parse the string.

That’s as clear as I can get.  I think this might be because x3dom does not process scripts correctly. We would need a script tag handler, and a field handler inside that.
 
Can you help Andreas?  I’ve created a script tag before, but that code is lost. It might be in my GitHub repository somewhere, not sure.
 
We just need a script tag that has fields, but doesn’t execute its CDATA section.  I am pretty sure
 
How is V4.0 handling this?
 
Alternatively, I can change my nodeUtil code to look at the type and do the right thing converting a string to the correct type.   Suggestions are welcome.
 
Thanks for the great example, Vince,
 
Should I adapt my code to deal with this failing in X3DOM, or should we change X3DOM?
 
John
 
Sent from Mail for Windows 10
 
From: vmarchetti at kshell.com
Sent: Wednesday, August 1, 2018 9:04 PM
To: John Carlson; X3D-Public
Subject: Re: [x3d-public] good example for ECMAScripting and Protos?
 
See 
http://www.kshell.com/pages/pointcloudvisualization/SphereDirectedPointSet.x3d
 
It is a X3D file with with a Prototype + ecmascript definition of a point cloud, with a vector attached to each point of the cloud.
Example used is just points randomly distributed on sphere with directs pointed radially outward.
 
Potential uses would be to implement the scanning design pattern at http://x3dgraphics.com/examples/X3dForAdvancedModeling/Scanning/X3dMeshDesignPatternIndex.html , or
visualizing fluid flow or  electromagnetic field
 
On Jul 31, 2018, at 10:30 PM, John Carlson <yottzumm at gmail.com> wrote:
 
Is there a good example of ECMAScripting in X3D that I can use to test my X3D JSON ECMAScript preprocessor?  Preferably with Protos 
 
 
Thanks!
 
John
 
_______________________________________________
x3d-public mailing list
x3d-public at web3d.org
http://web3d.org/mailman/listinfo/x3d-public_web3d.org
 
 
 


_______________________________________________
x3d-public mailing list
x3d-public at web3d.org
http://web3d.org/mailman/listinfo/x3d-public_web3d.org

-- 
Leonard Daly
3D Systems & Cloud Consultant
LA ACM SIGGRAPH Past Chair
President, Daly Realism - Creating the Future 

-- 
Leonard Daly
3D Systems & Cloud Consultant
LA ACM SIGGRAPH Past Chair
President, Daly Realism - Creating the Future 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://web3d.org/pipermail/x3d-public_web3d.org/attachments/20180806/664611ed/attachment-0001.html>


More information about the x3d-public mailing list