[x3d-public] script security

Andreas Plesch andreasplesch at gmail.com
Sat Oct 17 04:48:06 PDT 2020 

Hi John,

since I had started to sketch some answers I went ahead and implemented a
rough draft of a X3DScript node for x3dom.

Here is the basic spec. example working with the node:

https://raw.githack.com/andreasplesch/x3dom/4cf1ec31736109e67d7b44aa1afb8fc8133f8cb6/test/regression-suite/test/cases/x3dscript/TouchSensorIsOverEventECMAScript.html

Here is the implementation:

https://github.com/andreasplesch/x3dom/blob/fields/src/nodes/Scripting/X3DScript.js

I am using "X3DScript" for now because it is less confusing. It should be
possible to switch to Script type='app/x3dscript' at some point.

It turns out that in html documents CDATA sections get converted into
comments. This is great since it lets one use any character ( except for
-->) in the script. So I am looking for converted comments under the script
node for the script source.  I did not look into xhtml but xml should be
easier.

Since MDN also recommends Function over eval, I tried to go this way and
could figure out an (unsafe) solution using wrappers to maintain the
internal context of the script. I think the same approach may be possible
for x_ite as well.

I use the nice x_ite approach to get access to the functions in the script,
by returning references to the functions.

Unlike x_ite I am trying not to use with() since it is not recommended.
Instead I add lots of helpers to the script source in a preamble, I think
like you do. For output fields x_ite is also using with() and getters and
setters. For now, I am trying to avoid with() and just compare output field
values before and after a script set function gets called, from a route. If
there is a change, an event is fired.

There is no attempt to deal with XFNode field values. This will be tricky.
I did not test anything other than the simple example but other simple
examples may start to work as well, perhaps with some adjustments to how
SAI is used. Gears will need SFRotation which may be easy to add to the
preamble.

Cheers, -Andreasq
---on the phone---


On Thu, Oct 15, 2020 at 10:31 PM John Carlson <yottzumm at gmail.com> wrote:
>
>
>
> On Thu, Oct 15, 2020 at 9:25 PM John Carlson <yottzumm at gmail.com> wrote:
>>
>> What I am searching for is:
>>
>> 1. How to add Script related routes to X3DOM
>
>
> Once I set up Script and fields, this is done automatically with
setupTree?
>
>>
>> 2. How to hook in Proto IS statements found in Scripts.
>
>
> Not sure how to do that yet.
>>
>> 3. How to modify any Script code to support parsing and the above.
>
>
> adding any functions, declaring variables, etc.
>>
>>
>> On Thu, Oct 15, 2020 at 9:15 PM John Carlson <yottzumm at gmail.com> wrote:
>>>
>>> Something like
>>>
>>> fromNode.setupRoute(fromField, toNode, toField);
>>>
>>> ? That's only for routes?  What about events?
>>>
>>> John
>>>
>>>
>>> On Thu, Oct 15, 2020 at 8:42 PM John Carlson <yottzumm at gmail.com> wrote:
>>>>
>>>>
>>>>>> Use the set_xfield functions on field_changed (xfield).
>>>>>
>>>>>
>>>>> Not implemented.  Is this new code?   Where would I put it under
Scripting/?   Can you provide a short example?
>>>>>>
>>>>>>
>>>>>> Post messages for all _changed fields as given in the field def.
>>>>>> Somehow deal with SFNode fields.
>>>>>>
>>>>>>
>>>>
>>>> There is sample code under Script.js:
>>>>
https://github.com/coderextreme/X3DJSONLD/blob/master/src/main/node/Script.js#L346
>>>>
>>>> Below:
>>>> ====================================================================
>>>>         doRoute(mypackage, fromNode, fromField, toNode, toField, log,
set, changed, selector, url) {
>>>>                 var fromScript = mypackage.find(fromNode);
>>>>                 var toScript = mypackage.find(toNode);
>>>>                 // only add routes with scripts involved
>>>>                 if (typeof fromScript !== 'undefined' || typeof
toScript !== 'undefined') {
>>>>                         var from =
 this.nodeUtil(selector)+fromNode+"','"+fromField+"')";
>>>>                         if (typeof fromScript !== 'undefined') {
>>>>                                 from = 'typeof
'+this.useX3DJSON('Obj', selector, url,
fromScript.name)+'.'+fromField+changed+' === "function" ?
'+this.useX3DJSON('Obj', selector, url, fromScript.name) +
'.'+fromField+changed+'() : '+this.useX3DJSON('Obj', selector, url,
fromScript.name) + '.'+fromField;
>>>>                         }
>>>>                         var to =
this.nodeUtil(selector)+toNode+"','"+toField+"',";
>>>>                         if (typeof toScript !== 'undefined') {
>>>>                                 to = this.useX3DJSON('Obj', selector,
url, toScript.name) + '.'+set+toField+'(';
>>>>                         }
>>>>                         if (typeof fromScript !== 'undefined' &&
typeof toScript !== 'undefined') {
>>>>                                 log.log("               if
("+this.useX3DJSON('Obj', selector, url, toScript.name)+" && "+from+") {");
>>>>                         }
>>>>                         log.log("                       "+to+from+",
__eventTime);");
>>>>                         if (typeof fromScript !== 'undefined' &&
typeof toScript !== 'undefined') {
>>>>                                 log.log("               }");
>>>>                         }
>>>>                 }
>>>>         }
>>>>
>>>>  ====================================================================
>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://web3d.org/pipermail/x3d-public_web3d.org/attachments/20201017/741238c6/attachment.html>

More information about the x3d-public mailing list