[x3d-public] script security

Andreas Plesch andreasplesch at gmail.com
Sat Oct 17 13:25:16 PDT 2020 

Thanks. The warnings were due to "x3dscript" not being recognized as a
registered x3d node. My stuff now implements it and registers as a
proper node, so the warnings should not show up anymore. This is
different from Proto* which are statements not nodes.

Yeah, url was not a priority but would be great to add.

-Andreas

On Sat, Oct 17, 2020 at 1:11 PM John Carlson <yottzumm at gmail.com> wrote:
>
> Thanks Andreas,  should help.
>
> I note that the url field is not added to your code.  A start on url is in my code, but it's untested, and only processes first element in array.
>
> In: NodeNameSpace.js, around line 559, I added the comparison to "x3dscript" to prevent warnings.  I am not sure if I should use the body of the condition or not.  The comparison may need to be on another branch of code:
>
>         //silence warnings
>         else if ( tagLC == "protodeclare" || tagLC == "externprotodeclare"
>                 || tagLC == "protoinstance" || tagLC == "x3dscript" )
>         {
>             n = null;
>         }
>
> On Sat, Oct 17, 2020 at 6:48 AM Andreas Plesch <andreasplesch at gmail.com> wrote:
>>
>> Hi John,
>>
>> since I had started to sketch some answers I went ahead and implemented a rough draft of a X3DScript node for x3dom.
>>
>> Here is the basic spec. example working with the node:
>>
>> https://raw.githack.com/andreasplesch/x3dom/4cf1ec31736109e67d7b44aa1afb8fc8133f8cb6/test/regression-suite/test/cases/x3dscript/TouchSensorIsOverEventECMAScript.html
>>
>> Here is the implementation:
>>
>> https://github.com/andreasplesch/x3dom/blob/fields/src/nodes/Scripting/X3DScript.js
>>
>> I am using "X3DScript" for now because it is less confusing. It should be possible to switch to Script type='app/x3dscript' at some point.
>>
>> It turns out that in html documents CDATA sections get converted into comments. This is great since it lets one use any character ( except for -->) in the script. So I am looking for converted comments under the script node for the script source.  I did not look into xhtml but xml should be easier.
>>
>> Since MDN also recommends Function over eval, I tried to go this way and could figure out an (unsafe) solution using wrappers to maintain the internal context of the script. I think the same approach may be possible for x_ite as well.
>>
>> I use the nice x_ite approach to get access to the functions in the script, by returning references to the functions.
>>
>> Unlike x_ite I am trying not to use with() since it is not recommended. Instead I add lots of helpers to the script source in a preamble, I think like you do. For output fields x_ite is also using with() and getters and setters. For now, I am trying to avoid with() and just compare output field values before and after a script set function gets called, from a route. If there is a change, an event is fired.
>>
>> There is no attempt to deal with XFNode field values. This will be tricky. I did not test anything other than the simple example but other simple examples may start to work as well, perhaps with some adjustments to how SAI is used. Gears will need SFRotation which may be easy to add to the preamble.
>>
>> Cheers, -Andreasq
>> ---on the phone---
>>
>>
>> On Thu, Oct 15, 2020 at 10:31 PM John Carlson <yottzumm at gmail.com> wrote:
>> >
>> >
>> >
>> > On Thu, Oct 15, 2020 at 9:25 PM John Carlson <yottzumm at gmail.com> wrote:
>> >>
>> >> What I am searching for is:
>> >>
>> >> 1. How to add Script related routes to X3DOM
>> >
>> >
>> > Once I set up Script and fields, this is done automatically with setupTree?
>> >
>> >>
>> >> 2. How to hook in Proto IS statements found in Scripts.
>> >
>> >
>> > Not sure how to do that yet.
>> >>
>> >> 3. How to modify any Script code to support parsing and the above.
>> >
>> >
>> > adding any functions, declaring variables, etc.
>> >>
>> >>
>> >> On Thu, Oct 15, 2020 at 9:15 PM John Carlson <yottzumm at gmail.com> wrote:
>> >>>
>> >>> Something like
>> >>>
>> >>> fromNode.setupRoute(fromField, toNode, toField);
>> >>>
>> >>> ? That's only for routes?  What about events?
>> >>>
>> >>> John
>> >>>
>> >>>
>> >>> On Thu, Oct 15, 2020 at 8:42 PM John Carlson <yottzumm at gmail.com> wrote:
>> >>>>
>> >>>>
>> >>>>>> Use the set_xfield functions on field_changed (xfield).
>> >>>>>
>> >>>>>
>> >>>>> Not implemented.  Is this new code?   Where would I put it under Scripting/?   Can you provide a short example?
>> >>>>>>
>> >>>>>>
>> >>>>>> Post messages for all _changed fields as given in the field def.
>> >>>>>> Somehow deal with SFNode fields.
>> >>>>>>
>> >>>>>>
>> >>>>
>> >>>> There is sample code under Script.js:
>> >>>> https://github.com/coderextreme/X3DJSONLD/blob/master/src/main/node/Script.js#L346
>> >>>>
>> >>>> Below:
>> >>>> ====================================================================
>> >>>>         doRoute(mypackage, fromNode, fromField, toNode, toField, log, set, changed, selector, url) {
>> >>>>                 var fromScript = mypackage.find(fromNode);
>> >>>>                 var toScript = mypackage.find(toNode);
>> >>>>                 // only add routes with scripts involved
>> >>>>                 if (typeof fromScript !== 'undefined' || typeof toScript !== 'undefined') {
>> >>>>                         var from =                       this.nodeUtil(selector)+fromNode+"','"+fromField+"')";
>> >>>>                         if (typeof fromScript !== 'undefined') {
>> >>>>                                 from = 'typeof '+this.useX3DJSON('Obj', selector, url, fromScript.name)+'.'+fromField+changed+' === "function" ? '+this.useX3DJSON('Obj', selector, url, fromScript.name) + '.'+fromField+changed+'() : '+this.useX3DJSON('Obj', selector, url, fromScript.name) + '.'+fromField;
>> >>>>                         }
>> >>>>                         var to =                        this.nodeUtil(selector)+toNode+"','"+toField+"',";
>> >>>>                         if (typeof toScript !== 'undefined') {
>> >>>>                                 to = this.useX3DJSON('Obj', selector, url, toScript.name) + '.'+set+toField+'(';
>> >>>>                         }
>> >>>>                         if (typeof fromScript !== 'undefined' && typeof toScript !== 'undefined') {
>> >>>>                                 log.log("               if ("+this.useX3DJSON('Obj', selector, url, toScript.name)+" && "+from+") {");
>> >>>>                         }
>> >>>>                         log.log("                       "+to+from+", __eventTime);");
>> >>>>                         if (typeof fromScript !== 'undefined' && typeof toScript !== 'undefined') {
>> >>>>                                 log.log("               }");
>> >>>>                         }
>> >>>>                 }
>> >>>>         }
>> >>>>
>> >>>>  ====================================================================
>> >>>>
>>
>>


-- 
Andreas Plesch
Waltham, MA 02453

More information about the x3d-public mailing list