[x3d-public] script security
John Carlson
yottzumm at gmail.com
Sat Oct 17 10:11:03 PDT 2020
Thanks Andreas, should help.
I note that the url field is not added to your code. A start on url is in
my code, but it's untested, and only processes first element in array.
In: NodeNameSpace.js, around line 559, I added the comparison to
"x3dscript" to prevent warnings. I am not sure if I should use the body of
the condition or not. The comparison may need to be on another branch of
code:
//silence warnings
else if ( tagLC == "protodeclare" || tagLC == "externprotodeclare"
|| tagLC == "protoinstance" || tagLC == "x3dscript" )
{
n = null;
}
On Sat, Oct 17, 2020 at 6:48 AM Andreas Plesch <andreasplesch at gmail.com>
wrote:
> Hi John,
>
> since I had started to sketch some answers I went ahead and implemented a
> rough draft of a X3DScript node for x3dom.
>
> Here is the basic spec. example working with the node:
>
>
> https://raw.githack.com/andreasplesch/x3dom/4cf1ec31736109e67d7b44aa1afb8fc8133f8cb6/test/regression-suite/test/cases/x3dscript/TouchSensorIsOverEventECMAScript.html
>
> Here is the implementation:
>
>
> https://github.com/andreasplesch/x3dom/blob/fields/src/nodes/Scripting/X3DScript.js
>
> I am using "X3DScript" for now because it is less confusing. It should be
> possible to switch to Script type='app/x3dscript' at some point.
>
> It turns out that in html documents CDATA sections get converted into
> comments. This is great since it lets one use any character ( except for
> -->) in the script. So I am looking for converted comments under the script
> node for the script source. I did not look into xhtml but xml should be
> easier.
>
> Since MDN also recommends Function over eval, I tried to go this way and
> could figure out an (unsafe) solution using wrappers to maintain the
> internal context of the script. I think the same approach may be possible
> for x_ite as well.
>
> I use the nice x_ite approach to get access to the functions in the
> script, by returning references to the functions.
>
> Unlike x_ite I am trying not to use with() since it is not recommended.
> Instead I add lots of helpers to the script source in a preamble, I think
> like you do. For output fields x_ite is also using with() and getters and
> setters. For now, I am trying to avoid with() and just compare output field
> values before and after a script set function gets called, from a route. If
> there is a change, an event is fired.
>
> There is no attempt to deal with XFNode field values. This will be tricky.
> I did not test anything other than the simple example but other simple
> examples may start to work as well, perhaps with some adjustments to how
> SAI is used. Gears will need SFRotation which may be easy to add to the
> preamble.
>
> Cheers, -Andreasq
> ---on the phone---
>
>
> On Thu, Oct 15, 2020 at 10:31 PM John Carlson <yottzumm at gmail.com> wrote:
> >
> >
> >
> > On Thu, Oct 15, 2020 at 9:25 PM John Carlson <yottzumm at gmail.com> wrote:
> >>
> >> What I am searching for is:
> >>
> >> 1. How to add Script related routes to X3DOM
> >
> >
> > Once I set up Script and fields, this is done automatically with
> setupTree?
> >
> >>
> >> 2. How to hook in Proto IS statements found in Scripts.
> >
> >
> > Not sure how to do that yet.
> >>
> >> 3. How to modify any Script code to support parsing and the above.
> >
> >
> > adding any functions, declaring variables, etc.
> >>
> >>
> >> On Thu, Oct 15, 2020 at 9:15 PM John Carlson <yottzumm at gmail.com>
> wrote:
> >>>
> >>> Something like
> >>>
> >>> fromNode.setupRoute(fromField, toNode, toField);
> >>>
> >>> ? That's only for routes? What about events?
> >>>
> >>> John
> >>>
> >>>
> >>> On Thu, Oct 15, 2020 at 8:42 PM John Carlson <yottzumm at gmail.com>
> wrote:
> >>>>
> >>>>
> >>>>>> Use the set_xfield functions on field_changed (xfield).
> >>>>>
> >>>>>
> >>>>> Not implemented. Is this new code? Where would I put it under
> Scripting/? Can you provide a short example?
> >>>>>>
> >>>>>>
> >>>>>> Post messages for all _changed fields as given in the field def.
> >>>>>> Somehow deal with SFNode fields.
> >>>>>>
> >>>>>>
> >>>>
> >>>> There is sample code under Script.js:
> >>>>
> https://github.com/coderextreme/X3DJSONLD/blob/master/src/main/node/Script.js#L346
> >>>>
> >>>> Below:
> >>>> ====================================================================
> >>>> doRoute(mypackage, fromNode, fromField, toNode, toField, log,
> set, changed, selector, url) {
> >>>> var fromScript = mypackage.find(fromNode);
> >>>> var toScript = mypackage.find(toNode);
> >>>> // only add routes with scripts involved
> >>>> if (typeof fromScript !== 'undefined' || typeof
> toScript !== 'undefined') {
> >>>> var from =
> this.nodeUtil(selector)+fromNode+"','"+fromField+"')";
> >>>> if (typeof fromScript !== 'undefined') {
> >>>> from = 'typeof
> '+this.useX3DJSON('Obj', selector, url,
> fromScript.name)+'.'+fromField+changed+' === "function" ?
> '+this.useX3DJSON('Obj', selector, url, fromScript.name) +
> '.'+fromField+changed+'() : '+this.useX3DJSON('Obj', selector, url,
> fromScript.name) + '.'+fromField;
> >>>> }
> >>>> var to =
> this.nodeUtil(selector)+toNode+"','"+toField+"',";
> >>>> if (typeof toScript !== 'undefined') {
> >>>> to = this.useX3DJSON('Obj', selector,
> url, toScript.name) + '.'+set+toField+'(';
> >>>> }
> >>>> if (typeof fromScript !== 'undefined' &&
> typeof toScript !== 'undefined') {
> >>>> log.log(" if
> ("+this.useX3DJSON('Obj', selector, url, toScript.name)+" && "+from+") {");
> >>>> }
> >>>> log.log(" "+to+from+",
> __eventTime);");
> >>>> if (typeof fromScript !== 'undefined' &&
> typeof toScript !== 'undefined') {
> >>>> log.log(" }");
> >>>> }
> >>>> }
> >>>> }
> >>>>
> >>>> ====================================================================
> >>>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://web3d.org/pipermail/x3d-public_web3d.org/attachments/20201017/3a3b39dd/attachment-0001.html>
More information about the x3d-public
mailing list