locked
There i replaced the timer by typing this in url RRS feed

  • General discussion

  • javascript:void(window.setInterval(function() {document.getElementById("currentTime").innerText = "hacked";}, 10));
    Thursday, October 23, 2008 11:16 PM

All replies

  • The clock is protected from other, untrustworthy, code that is running in the sandbox.  Its running in the sandbox if you type it in the code box, or put a URL to the untrustworthy code in the URL entry box on the page.  Entering commands in the address bar of the browser doesn't run those commands in the sandbox, so it doesn't demonstrate a flaw in the sandbox.

    If you enter that same code in the code entry box, where it says "put javascript here", it will fail "object not found" because the element with ID "currentTime" isn't accessible to your sandboxed code.
    Thursday, October 23, 2008 11:42 PM
  • Thanks for the feedback and to expand on Bruce's comments.

    Some clarification.

    The goal of the sandbox is to protect execution that is occurring on the web page.   Mash-ups today include untrusted code directly in their page that can compromise the site.   The Sandbox isolates the untrusted content inside its own virtualized environment. The test page simulates the mash-up environment and adds any code you enter via the textbox or the referenced URL directly on the page (e.g., just as if the content was served directly from your server within <script> blocks).  Without the Sandbox, the code would have full access to the page. With the Sandbox, the boundaries are protected.

    The goal is to add a script to the page that stops the clock.  If the above code executing within the sandbox can stop the clock, then you would have found a proper exploit.  Typing in the address bar is not something DHTML can accomplish from within the web-page (and if it was, we would prohibit via the sandbox). 

    -Scott
    Thursday, October 23, 2008 11:47 PM
  • Well, I just have a question, can i embed any javascript library because it fail the moment i embed the jquery library for instance!
    Amr Gawish
    Monday, October 27, 2008 8:34 AM
  • Currently we are trying to support the widest range of JavaScript functionality as possible. The JQuery framework currently fails because it uses the with statement. We currently do not support the “with” statement due to security reasons. This does not mean that in the future all uses of the “with” statement will throw a security exception. 

    Monday, October 27, 2008 4:35 PM
  • Amr,

    If you are willing to edit JQuery and don't need the functionality provided by the one function that uses the with statement (or rewrite the code to avoid the with statement), removing that function may enable JQuery to run.

    -Scott
    Tuesday, October 28, 2008 3:57 PM