<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">[Removed X3DOM mailing list because the
message applies to X3D in general and not X3DOM.]<br>
<br>
There has been several mentions over that last many months about
using eval to process code in the browser. Sometimes the code is
JSON, other times the code is JavaScript (sometimes HTML5
JavaScript, others X3D ECMAScript). <br>
<br>
I do not recall seeing any discussion of potential security issues
when 'eval'ing code. <br>
<br>
If the string is JSON, then the proper way to convert the JSON
string to internal data structure is with JSON.parse (e.g., see
<a class="moz-txt-link-freetext" href="https://www.w3schools.com/js/js_json_parse.asp">https://www.w3schools.com/js/js_json_parse.asp</a>). This built-in
method ensures that no code is executed and only data structures
are created.<br>
<br>
eval() is a dangerous function. <br>
<br>
<a class="moz-txt-link-freetext" href="https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#Do_not_ever_use_eval">https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#Do_not_ever_use_eval</a>!<br>
<br>
Any library that provides the ability to execute uncontrolled code
is really asking for trouble and probably will not be allowed in
any corporate environment. Any X3D solution that requires the use
of eval() for user code needs to be re-thought to develop a
solution without that requirement -- either explicitly stated or
required because no other solution to the requirements is
possible.<br>
<br>
<br>
Leonard Daly<br>
<br>
<br>
<br>
<br>
</div>
<blockquote type="cite"
cite="mid:CAGC3UE=4tO09r7ekU__7DRb0_Q-0H6St+P_tmGUREJQjeWBHHQ@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<div>
<div dir="auto">I am interested in the fields, specifically
getting scengraph values out of SFNodes which are in fields.
I can call the script node mooluckpooluck when I insert it
into DOM, let’s just decide on something and add it to both
X_ITE and X3DOM. X_ITE already uses eval. Are we going to
make that magically disappear, if so, how? Let’s hop skip
jump to it if it has to go through W3C.</div>
</div>
<div dir="auto"><br>
</div>
<div dir="auto">John</div>
<div><br>
<div class="gmail_quote">
<div dir="ltr">On Mon, Aug 6, 2018 at 1:32 AM John Carlson
<<a href="mailto:yottzumm@gmail.com"
moz-do-not-send="true">yottzumm@gmail.com</a>> wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div dir="auto">I don’t care if the script tag is called
mooluckpooluck or if there is a conflict. I’m working
in the JSON environment, so the rules are somewhat
different. What I am concerned about is getting my
arrays converted to arrays and not strings.</div>
</div>
<div><br>
<div class="gmail_quote">
<div dir="ltr">On Mon, Aug 6, 2018 at 1:19 AM John
Carlson <<a href="mailto:yottzumm@gmail.com"
target="_blank" moz-do-not-send="true">yottzumm@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div dir="auto">Leonard, I agree my approach may not
work in all environments.</div>
</div>
<div dir="auto"><br>
</div>
<div dir="auto">Determining a valid or invalid mime
type is extremely difficult if done semantically,
but extremely easy if done syntactically. My guess
is that many of the X3D tags are semantically
invalid, unless someone has added them to Apache.
I do not know the status of this. I have to add
mine types to my server for every new extension I
add. It is not a that big of a deal.</div>
<div dir="auto"><br>
</div>
<div dir="auto">One may not need a script tag around
X3D script to execute X3D script. One may use eval
in a script tag. One may make script
inconsequential by making the scripts only
functions, and move the functions to a string which
is evaled. Essentially you are parsing twice.</div>
<div dir="auto"><br>
</div>
<div dir="auto">If we want script fields handled by
X3DOM, we will have to find someway to bring them
into X3DOM. X_ITE has shown the way. We can take
other approaches than X3DOM, like straight DOM. I
am beginning to think this is preferable, but using
DEF to find node which aren’t in the scenegraph has
kind of been, wtf?</div>
<div dir="auto"><br>
</div>
<div dir="auto">The question has become “Are DEFed
SFNodes valid scenegraph objects if they are in
fields?” This may show a failing of X3DOM, which may
need to be corrected. I can probably find the
scengraph object using USE, but I really want to use
DEF. Can someone show me how to do it in the HTML5
environment?</div>
<div dir="auto"><br>
</div>
<div dir="auto">John</div>
<div>
<div class="gmail_quote">
<div dir="ltr">On Mon, Aug 6, 2018 at 12:24 AM
Leonard Daly <<a
href="mailto:Leonard.Daly@realism.com"
target="_blank" moz-do-not-send="true">Leonard.Daly@realism.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0
0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div
class="m_3705278146108278236m_8095493740017175402m_-7056022351321710558moz-cite-prefix">I
am replying to an early message in this
thread, but I hope to capture comments from
all messages in the thread. My comments only
apply to the web browser (HTML5)
environment.<br>
<br>
First, any Script tag (in any case) will be
handled by the web browser, and the web
browser will parse content before anything
else. If you really need to independently
parse some tags, you will need to "read" it
into a JavaScript variable and handle it
that way. If it's in the page file, it will
be parsed.<br>
<br>
There was a suggestion to use
"text/x3dscript" or some other string. The
W3C has something to say about this at <a
class="m_3705278146108278236m_8095493740017175402m_-7056022351321710558moz-txt-link-freetext"
href="https://www.w3.org/TR/html5/scripting-1.html#the-script-element"
target="_blank" moz-do-not-send="true">https://www.w3.org/TR/html5/scripting-1.html#the-script-element</a>.
The value of the type attribute must either
be<br>
<ol>
<li>omitted</li>
<li>JavaScript MIME type</li>
<li>"module"</li>
<li>any other valid mime type</li>
</ol>
<p>So the use of an invalid MIME type is not
technically valid HTML. This may cause a
problem with some browsers or validators;
or present future problems if that string
is ever defined to have a particular
meaning.</p>
<p>X3DOM does not have X3D scripting. If you
need scripting to correctly process an
X3DOM environment; then you need to do it
in HTML5 Javascript. X3DOM does not
process the Script tag, that is done by
HTML5. While X3DOM parser could recognize
that tag, it does not; hence, none of the
X3DOM methods are available to handle
interactions on a Script node (a Script
tag parsed into DOM).</p>
<p>The X3D Script / HTML5 Script tag name
conflict is a long-standing and known
issue. To my knowledge no work has been
done to break the conflict. <br>
</p>
<p>Leonard Daly<br>
</p>
<p><br>
</p>
<p><br>
</p>
<br>
<br>
</div>
</div>
<div text="#000000" bgcolor="#FFFFFF">
<blockquote type="cite">
<div
class="m_3705278146108278236m_8095493740017175402m_-7056022351321710558WordSection1">
<p class="MsoNormal">Here’s my current
code for clearing the ECMAScript out of
a X3D file so that it doesn’t show on
the screen:</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">
$(selector+"
Script").contents().filter(function () {</p>
<p class="MsoNormal">
return this.nodeType === 3 ||
this.nodeType === 4;</p>
<p class="MsoNormal">
}).remove();</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">This retains the
fields. I may change my code to work
with fields instead of parsing out the
fields into properties (but directOutput
is nice). This would mean that X3DOM
has to route to and from the script
fields (is this possible?).</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">John</p>
<p class="MsoNormal">Sent from <a
href="https://go.microsoft.com/fwlink/?LinkId=550986"
target="_blank" moz-do-not-send="true">Mail</a>
for Windows 10</p>
<p class="MsoNormal"> </p>
<div style="border:none;border-top:solid
#e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"
style="border:none;padding:0in"><b>From:
</b><a
href="mailto:yottzumm@gmail.com"
target="_blank"
moz-do-not-send="true">John Carlson</a><br>
<b>Sent: </b>Saturday, August 4, 2018
4:56 AM<br>
<b>To: </b><a
href="mailto:vmarchetti@kshell.com"
target="_blank"
moz-do-not-send="true">vmarchetti@kshell.com</a>;
<a href="mailto:x3d-public@web3d.org"
target="_blank"
moz-do-not-send="true">X3D-Public</a>;
<a
href="mailto:x3dom-users@lists.sourceforge.net"
target="_blank"
moz-do-not-send="true">x3dom mlist</a>;
<a
href="mailto:andreasplesch@gmail.com"
target="_blank"
moz-do-not-send="true">Andreas
Plesch</a><br>
<b>Subject: </b>RE: [x3d-public] good
example for ECMAScripting and Protos?</p>
</div>
<p class="MsoNormal"> </p>
<p class="MsoNormal">I have a problem with
this file in X3DOM, because as far as I
can tell, the SFNode fields (the node,
not the field) do not have getFieldValue
for point etc. as a function, for
example (but one can double check me).
In other words, I don’t think this node
is an X3DOM node.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Thus I cannot take a
reasonable length in the script. One
would have to parse the string.</p>
<p class="MsoNormal"><br>
That’s as clear as I can get. I think
this might be because x3dom does not
process scripts correctly. We would need
a script tag handler, and a field
handler inside that.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Can you help
Andreas? I’ve created a script tag
before, but that code is lost. It might
be in my GitHub repository somewhere,
not sure.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">We just need a script
tag that has fields, but doesn’t execute
its CDATA section. I am pretty sure</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">How is V4.0 handling
this?</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Alternatively, I can
change my nodeUtil code to look at the
type and do the right thing converting a
string to the correct type.
Suggestions are welcome.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Thanks for the great
example, Vince,</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Should I adapt my
code to deal with this failing in X3DOM,
or should we change X3DOM?</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">John</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Sent from <a
href="https://go.microsoft.com/fwlink/?LinkId=550986"
target="_blank" moz-do-not-send="true">Mail</a>
for Windows 10</p>
<p class="MsoNormal"> </p>
<div style="border:none;border-top:solid
#e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From: </b><a
href="mailto:vmarchetti@kshell.com"
target="_blank"
moz-do-not-send="true">vmarchetti@kshell.com</a><br>
<b>Sent: </b>Wednesday, August 1,
2018 9:04 PM<br>
<b>To: </b><a
href="mailto:yottzumm@gmail.com"
target="_blank"
moz-do-not-send="true">John Carlson</a>;
<a href="mailto:x3d-public@web3d.org"
target="_blank"
moz-do-not-send="true">X3D-Public</a><br>
<b>Subject: </b>Re: [x3d-public] good
example for ECMAScripting and Protos?</p>
</div>
<p class="MsoNormal"> </p>
<p class="MsoNormal">See </p>
<p class="MsoNormal"><a
href="http://www.kshell.com/pages/pointcloudvisualization/SphereDirectedPointSet.x3d"
target="_blank" moz-do-not-send="true">http://www.kshell.com/pages/pointcloudvisualization/SphereDirectedPointSet.x3d</a></p>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">It is a X3D file
with with a Prototype + ecmascript
definition of a point cloud, with a
vector attached to each point of the
cloud.</p>
</div>
<div>
<p class="MsoNormal">Example used is
just points randomly distributed on
sphere with directs pointed radially
outward.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Potential uses
would be to implement the scanning
design pattern
at <a
class="m_3705278146108278236m_8095493740017175402m_-7056022351321710558moz-txt-link-freetext"
href="http://x3dgraphics.com/examples/X3dForAdvancedModeling/Scanning/X3dMeshDesignPatternIndex.html"
target="_blank"
moz-do-not-send="true">http://x3dgraphics.com/examples/X3dForAdvancedModeling/Scanning/X3dMeshDesignPatternIndex.html</a>
, or</p>
</div>
<div>
<p class="MsoNormal">visualizing fluid
flow or electromagnetic field</p>
<div>
<p class="MsoNormal"
style="margin-bottom:12.0pt"> </p>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">On Jul 31,
2018, at 10:30 PM, John Carlson
<a
class="m_3705278146108278236m_8095493740017175402m_-7056022351321710558moz-txt-link-rfc2396E"
href="mailto:yottzumm@gmail.com" target="_blank" moz-do-not-send="true"><yottzumm@gmail.com></a>
wrote:</p>
</div>
<p class="MsoNormal"> </p>
<div>
<div>
<p class="MsoNormal">Is there a
good example of ECMAScripting
in X3D that I can use to test
my X3D JSON ECMAScript
preprocessor? Preferably with
Protos<span
class="m_3705278146108278236m_8095493740017175402m_-7056022351321710558apple-converted-space"> </span></p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Thanks!</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">John</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Monaco",serif">_______________________________________________<br>
x3d-public mailing list<br>
</span><a
href="mailto:x3d-public@web3d.org"
target="_blank"
moz-do-not-send="true"><span
style="font-size:9.0pt;font-family:"Monaco",serif;color:#954f72">x3d-public@web3d.org</span></a><span
style="font-size:9.0pt;font-family:"Monaco",serif"><br>
</span><a
href="http://web3d.org/mailman/listinfo/x3d-public_web3d.org"
target="_blank"
moz-do-not-send="true"><span
style="font-size:9.0pt;font-family:"Monaco",serif;color:#954f72">http://web3d.org/mailman/listinfo/x3d-public_web3d.org</span></a></p>
</div>
</blockquote>
</div>
</div>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> </p>
</div>
<br>
<fieldset
class="m_3705278146108278236m_8095493740017175402m_-7056022351321710558mimeAttachmentHeader"></fieldset>
<br>
<pre>_______________________________________________
x3d-public mailing list
<a class="m_3705278146108278236m_8095493740017175402m_-7056022351321710558moz-txt-link-abbreviated" href="mailto:x3d-public@web3d.org" target="_blank" moz-do-not-send="true">x3d-public@web3d.org</a>
<a class="m_3705278146108278236m_8095493740017175402m_-7056022351321710558moz-txt-link-freetext" href="http://web3d.org/mailman/listinfo/x3d-public_web3d.org" target="_blank" moz-do-not-send="true">http://web3d.org/mailman/listinfo/x3d-public_web3d.org</a>
</pre>
</blockquote>
<p><br>
</p>
<div
class="m_3705278146108278236m_8095493740017175402m_-7056022351321710558moz-signature">--
<br>
<font
class="m_3705278146108278236m_8095493740017175402m_-7056022351321710558tahoma,arial,helvetica
m_3705278146108278236m_8095493740017175402m_-7056022351321710558san
m_3705278146108278236m_8095493740017175402m_-7056022351321710558serif"
color="#333366"> <font size="+1"><b>Leonard
Daly</b></font><br>
3D Systems & Cloud Consultant<br>
LA ACM SIGGRAPH Past Chair<br>
President, Daly Realism - <i>Creating the
Future</i> </font></div>
</div>
</blockquote>
</div>
</div>
</blockquote>
</div>
</div>
</blockquote>
</div>
</div>
</blockquote>
<p><br>
</p>
<div class="moz-signature">-- <br>
<font class="tahoma,arial,helvetica san serif" color="#333366">
<font size="+1"><b>Leonard Daly</b></font><br>
3D Systems & Cloud Consultant<br>
LA ACM SIGGRAPH Past Chair<br>
President, Daly Realism - <i>Creating the Future</i>
</font></div>
</body>
</html>