JavaScript Security
The dojox.secure library is used to restrict the JavaScript™-provided clients to a safe sandbox so they cannot do anything malicious. However, this imposes a number of limitations.
The JavaScript in the sandbox generally follows rules to limit dangerous operations:
- Use of
eval
,with
,==
,!=
, and the subscript operator[]
are not allowed.- Instead of
==
use===
- Instead of
!=
use!==
- Instead of the
[]
operator, use theforEach()
,get()
, andset()
functions provided (described below).
- Instead of
- Usage of the
this
keyword is not allowed:- For item level events, the keyword
item
is used in place of thethis
keyword. - For page level events, the keyword
page
is used in place of thethis
keyword. - For form level events, the keyword
form
is used in place of thethis
keyword.
- For item level events, the keyword
- Limited access to global variables. Details are provided in the following section.
- These properties cannot be used:
apply
,arguments
,call
,callee
,caller
,constructor
,eval
,prototype
,this
,unwatch
,valueOf
,watch
, and any property beginning or ending with double underscore__
.
Security
The following global variables are accessible:
Variable | Description |
---|---|
element |
This the root element of the sandbox. Sandboxed elements do not have access to relational properties such as parentNode , firstSibling , nextSibling , etc. You can still use DOM methods and string properties like innerHTML . The style object can also be used, accessed, and modified. |
document |
This is a sandboxed document object that provides node creation and basic element searching facilities. The sandboxed document provides the following methods: getElementById , createElement , createTextNode , and write . |
The following standard JavaScript/DOM functions/constructors, and their child functions when applicable, can be called. They can be used only in call position. They cannot be accessed in any other way. They generally behave as the standard JavaScript function, unless otherwise noted:
isNaN
isFinite
parseInt
parseFloat
escape
unescape
encodeURI
encodeURIComponent
decodeURI
decodeURIComponent
alert
confirm
prompt
Date
RegExp
Error
Number
Math
setTimeout
- This only accepts a function, not a string.setInterval
- This only accepts a function, not a string.clearTimeout
clearInterval
The following special functions are available to compensate for the JavaScript syntax limitations imposed by the sandbox:
Function | Description |
---|---|
get(obj,prop) |
This is a special function to handle accessing properties in lieu of the [] operator. Calling get(obj,prop) is equivalent to obj[prop] . |
set(obj,prop,value) |
This is a special function to handle modifying properties in lieu of the [] operator. Calling set(obj,prop,value) is equivalent to obj[prop]=value . |
forEach(obj,func) |
This is a special function to iterate through all the properties in an object, or items in an array. For each item, the func function is called with the item as the first argument, the index as the second object, and the obj as the third object. |
The following functions for DOM manipulation and extra language features are provided by the Dojo Toolkit library. This represents a safe subset of Dojo. All Dojo library functions are provided as top-level functions. Namespacing is unnecessary because scripts do have access to modify the global object and can't define global variables. Thus, you can call Dojo functions directly, for example, you can call mixin(obj,mixinObj)
. You might also use the traditional syntax (dojox.mixin(...)
). Available functions include:
mixin
require
isString
isArray
isFunction
isObject
isArrayLike
isAlien
hitch
delegate
partial
trim
connect
disconnect
subscribe
unsubscribe
Deferred
toJson
fromJson
style
attr
query
- This only searches within the sandbox.byId
body
- This returns the root element of the sandbox.
Disabling JavaScript Security
Under some circumstances, the limitations imposed by the dojox.secure library might be too restrictive. Therefore, the dojox.secure library can be disabled server-wide by editing a Java™ properties file called Leap_config.properties in the extensions directory (C:\HCL\Leap\extensions on Windows™, /opt/HCL/Leap/extensions on Linux™). Set the value of the ibm.nitro.ApplicationCompilerService.secureJS key to false. Once the properties file is changed, the HCL Leap server should be restarted to ensure that the configuration takes effect. For more information, see Configuring the properties file.
Note: Changing this configuration setting to false should only be done if all the app authors on the server are known trusted users. Disabling JavaScript Security on a deployment of Leap that allows unvetted users to create applications could pose a serious security risk.
It should be noted that changes to this configuration setting are only applied to running applications when they are redeployed.
Parent topic: Reference Objects and Functions