mirror
/
turtlestitch
kopia lustrzana https://github.com/backface/turtlestitch
1
0
Forkuj 0
Kod Zgłoszenia Projekty Wydania Wiki Aktywność

Disable JS-Functions to protect users from malicious scripts 

commented out for now
pull/29/head
jmoenig 2016-12-27 16:08:23 +01:00
rodzic 81a0d30032
commit 1ecb97a972
5 zmienionych plików z 48 dodań i 8 usunięć
Pokaż statystyki Ściągnij plik aktualizacji Ściągnij plik porównania Expand all files Collapse all files

16
gui.js
Wyświetl plik

@ -72,7 +72,7 @@ isRetinaSupported, SliderMorph, Animation*/
// Global stuff //////////////////////////////////////////////////////// // Global stuff ////////////////////////////////////////////////////////
modules.gui = '2016-December-25'; modules.gui = '2016-December-27';
// Declarations // Declarations
@ -2411,6 +2411,20 @@ IDE_Morph.prototype.settingsMenu = function () {
); );
} }
menu.addLine(); menu.addLine();
/*
addPreference(
'JavaScript',
function () {
Process.prototype.enableJS = !Process.prototype.enableJS;
myself.currentSprite.blocksCache.operators = null;
myself.currentSprite.paletteCache.operators = null;
myself.refreshPalette();
},
Process.prototype.enableJS,
'uncheck to disable support for\nnative JavaScript functions',
'check to support\nnative JavaScript functions'
);
*/
if (isRetinaSupported()) { if (isRetinaSupported()) {
addPreference( addPreference(
'Retina display support', 'Retina display support',

4
history.txt
Wyświetl plik

@ -3219,6 +3219,10 @@ http://snap.berkeley.edu/run#cloud:Username=jens&ProjectName=rotation
------ ------
* GUI: update undrop controls when switching sprites and display modes * GUI: update undrop controls when switching sprites and display modes
161227
------
* GUI, Threads, Objects, Store: Disable JS-Functions, to protect users from malicious scripts, commented out for now
== v4.10 === (in development) == v4.10 === (in development)

8
objects.js
Wyświetl plik

@ -82,7 +82,7 @@ SpeechBubbleMorph, RingMorph, isNil, FileReader, TableDialogMorph,
BlockEditorMorph, BlockDialogMorph, PrototypeHatBlockMorph, localize, BlockEditorMorph, BlockDialogMorph, PrototypeHatBlockMorph, localize,
TableMorph, TableFrameMorph, normalizeCanvas, BooleanSlotMorph*/ TableMorph, TableFrameMorph, normalizeCanvas, BooleanSlotMorph*/
modules.objects = '2016-December-23'; modules.objects = '2016-December-27';
var SpriteMorph; var SpriteMorph;
var StageMorph; var StageMorph;
@ -2027,8 +2027,11 @@ SpriteMorph.prototype.blockTemplates = function (category) {
blocks.push('-'); blocks.push('-');
blocks.push(block('reportIsA')); blocks.push(block('reportIsA'));
blocks.push(block('reportIsIdentical')); blocks.push(block('reportIsIdentical'));
if (true) { // (Process.prototype.enableJS) {
blocks.push('-'); blocks.push('-');
blocks.push(block('reportJSFunction')); blocks.push(block('reportJSFunction'));
}
// for debugging: /////////////// // for debugging: ///////////////
@ -6201,8 +6204,11 @@ StageMorph.prototype.blockTemplates = function (category) {
blocks.push('-'); blocks.push('-');
blocks.push(block('reportIsA')); blocks.push(block('reportIsA'));
blocks.push(block('reportIsIdentical')); blocks.push(block('reportIsIdentical'));
if (true) { // (Process.prototype.enableJS) {
blocks.push('-'); blocks.push('-');
blocks.push(block('reportJSFunction')); blocks.push(block('reportJSFunction'));
}
// for debugging: /////////////// // for debugging: ///////////////

12
store.js
Wyświetl plik

@ -61,7 +61,7 @@ normalizeCanvas*/
// Global stuff //////////////////////////////////////////////////////// // Global stuff ////////////////////////////////////////////////////////
modules.store = '2016-November-24'; modules.store = '2016-December-27';
// XML_Serializer /////////////////////////////////////////////////////// // XML_Serializer ///////////////////////////////////////////////////////
@ -1017,6 +1017,16 @@ SnapSerializer.prototype.loadBlock = function (model, isReporter) {
model.attributes['var'] model.attributes['var']
); );
} }
/*
if (model.attributes.s === 'reportJSFunction' &&
!Process.prototype.enableJS) {
if (window.confirm('enable JavaScript?')) {
Process.prototype.enableJS = true;
} else {
throw new Error('JavaScript is not enabled');
}
}
*/
block = SpriteMorph.prototype.blockForSelector(model.attributes.s); block = SpriteMorph.prototype.blockForSelector(model.attributes.s);
} else if (model.tag === 'custom-block') { } else if (model.tag === 'custom-block') {
isGlobal = model.attributes.scope ? false : true; isGlobal = model.attributes.scope ? false : true;

8
threads.js
Wyświetl plik

@ -61,7 +61,7 @@ StageMorph, SpriteMorph, StagePrompterMorph, Note, modules, isString, copy,
isNil, WatcherMorph, List, ListWatcherMorph, alert, console, TableMorph, isNil, WatcherMorph, List, ListWatcherMorph, alert, console, TableMorph,
TableFrameMorph, ColorSlotMorph, isSnapObject*/ TableFrameMorph, ColorSlotMorph, isSnapObject*/
modules.threads = '2016-December-22'; modules.threads = '2016-December-27';
var ThreadManager; var ThreadManager;
var Process; var Process;
@ -473,6 +473,7 @@ Process.prototype.isCatchingErrors = true;
Process.prototype.enableLiveCoding = false; // experimental Process.prototype.enableLiveCoding = false; // experimental
Process.prototype.enableSingleStepping = false; // experimental Process.prototype.enableSingleStepping = false; // experimental
Process.prototype.flashTime = 0; // experimental Process.prototype.flashTime = 0; // experimental
// Process.prototype.enableJS = false;
function Process(topBlock, onComplete, rightAway) { function Process(topBlock, onComplete, rightAway) {
this.topBlock = topBlock || null; this.topBlock = topBlock || null;
@ -1000,6 +1001,11 @@ Process.prototype.evaluate = function (
) { ) {
if (!context) {return null; } if (!context) {return null; }
if (context instanceof Function) { if (context instanceof Function) {
/*
if (!this.enableJS) {
throw new Error('JavaScript is not enabled');
}
*/
return context.apply( return context.apply(
this.blockReceiver(), this.blockReceiver(),
args.asArray().concat([this]) args.asArray().concat([this])