I'm attempting to create a script which will run some JavaScript code which the user will input via an HTML input field. The effect will essentially be the same as opening the dev console and pasting your code in there, but I'd like to make it more friendly for those who are unfamiliar with the dev console.
When the user inputs his JavaScript, and presses submit, I have the input stored as a variable. What I need to do is take the content of that variable, and run it inside the browser as though it's actual code. Is it possible to do that, and how would I accomplish it?
You can achieve this using eval:
var code = "alert('ok')";
eval(code);
Not that you should be very careful when doing this, since running third party code is always dangerous.
You can use eval - http://www.w3schools.com/jsref/jsref_eval.asp
But is this more friendly?
Related
What is the source code for the default alert() function in Javascript(method of the window object)? I am trying to write an alert function myself so I would really like to get a peek at the original function code.It is so hard to google it.
The alert() function, like a number of other standard functions, is a part of the browser's Javascript runtime. It cannot be replicated with Javascript code (other than by calling alert()), and there is no platform-independent Javascript source code to the function.
It's a compiled function, probably different for every browser, so there is no source JS code for it.
You've noticed when you call it how it takes over the whole browser - it's not a part of the webpage like a popup or something; so if you're trying to achieve something like that (control at a lower level of the browser), there's no way to do it from JS. If you only need a popup, there are tons of online resources about how it do it.
The source code for alert() is... alert()
It is a primitive Word. If you want details, they are yet in another language.
Interpreted directly by the browser.
I'm building a security framework which injects a javascript file which will always be executed first, and blocks some functions to be executed.
The developers will make their own webapps and the script will make sure that some functionalities cannot be called.
Let's suppose the "blocking" script is like this:
window.alert = function(){Object.freeze(this)}
Is there any way for an application to circumvent this block, without using iframes/external files?
delete(window.alert) doesn't work in this scenario.
not if you can't stop that script running first, otherwise you could asign the original alert to something else:
var oldAlert = window.alert;
window.alert = function(){Object.freeze(this)}
How/why are you using alert? if its for debugging you'd be better off using console.log. if you are using it to notify users then maybe a dedicated modal would be the better option
Based on your updated question, it depends how your framework is loaded.
Lets say you provide the script to the developer to use, in that case they could very easily alter what your script does. if the code is running on in a env that isn't yours then you can assume it's not secure. browser plugins can block scripts, there would bypass any security based in a javascript file.
based on the work of #Abdennour TOUMI on this post : Opposite of Object.freeze or Object.seal in JavaScript, you can do something like that :
window.alert = function(){Object.freeze(this)} ;
Object.unfreezeAlert=function(){
return window.prompt;
}
window.alert = Object.unfreezeAlert(window.alert);
alert ('test4');
http://jsfiddle.net/scraaappy/pxv51zqg/
You need to set the alert property on Window.prototype, not on window. Otherwise:
Window.prototype.alert.call(window, 'This works.');
If I'm in my browser's JavaScript console, how can I programmatically get the last line I typed into the console?
I want to use this so that when I'm messing around with a DOM interactively using the JS console, I can have a savethat() function and if I like what I typed I can say
savethat(whatIjusttyped);
Let me try one more time:
In a pure JavaScript REPL environment, what expression will evaluate to the last console user input?
You can access the result (value) of the last typed expression. To do that use $_ variable.
I'm not sure you can get a line itself using JS, but you can do it using built-in feature of console itself - just press up button to modify the last entered line.
If you really want to access that line programmatically, you should understand there is no standard-defined way of doing that (ECMAscript certainly doesn't say how to do it). You should refer to your browser JS implementation documentation and hopefully you find something...
My goal is to write a javascript application that will take text as an input and compile/run that text as code.
For example, say the JS application has a light that can turn red or green. The user inputted text could be lightRed(); to turn it red, and lightGreen(); to turn it green. I think the standard way to solve this kind of issue is to implement some kind of lexer/parser, like what Jison does.
However, I'm fairly new to JS programming and that seems like a daunting task - especially when I later plan to add more complex functionality to it like if/else statements. So I was wondering if it was possible to have the inputted text treated as javascript, essentially using the browser's ability to process javascript. So the javascript application will have a light, and it will have functions called lightRed() and lightGreen(). Text inputted to the javascript will be treated as javascript, so writing lightRed() as text will directly execute the lightRed() function in the application. Is this possible? Would this be more complicated than just using something like Jison? Thanks!
The easiest way to compile the inputted JavaScript would be to use the eval function. This will evaluate and execute any code passed in as a string.
Example:
eval(document.getElementById('code').value)
JSFiddle
Be aware though that this does give the user the potential to execute any code that he wants without restriction, so think carefully before allowing this.
To help mitigate any security risk, you could execute the code in the global scope, as shown in this answer, preventing the code from accessing any of your local variables, and this would be just like if the user ran the code from their browser's developer console.
More Secure Example:
(function(){eval.apply(this,[document.getElementById('code').value])})()
More Secure JSFiddle
eval() will evaluate a string expression as JavaScript. Most people (including myself) will warn you about security holes; but if you think about it, the user could open up the javascript console and type and run all the same code.. So go for it :)
So, I'm running these Selenium IDE tests against a site I'm working on. Everything about the tests themselves is running fine, except I would like to do a bit of clean-up once I'm done. In my MVC3 Razor based site, I have a JavaScript file with a function that gets a JsonResult from a Controller of mine. That Controller handles the database clean-up that Selenium IDE otherwise couldn't handle.
However, I'm having a hard time finding any sort of documentation on how to do this. I know I can do JavaScript{ myJavascriptGoesHere } as one of the Values for a line in the test, but I can't seem to find a way to tell it to go find my clean-up function.
Is it even possible for Selenium IDE to do this sort of thing?
If it comes down to it, I can just make a separate View to handle the clean-up, but I'd really like to avoid that if possible.
Thanks!
If you want to execute your own JavaScript function that exists in your test page from Selenium IDE, you need to make sure you access it via the window object. If you look at the reference for storeEval for instance, it says:
Note that, by default, the snippet will run in the context of the
"selenium" object itself, so this will refer to the Selenium object.
Use window to refer to the window of your application, e.g.
window.document.getElementById('foo')
So if you have your own function e.g. myFunc(). You need to refer to it as window.myFunc().
This can be very handy for exercising client-side validation without actually submitting the form, e.g. if you want to test a variety of invalid and valid form field values.
If you use runScript, that should already run in the window's context.
This works for me.
IJavaScriptExecutor js = driver as IJavaScriptExecutor;
string title = (string)js.ExecuteScript("myJavascriptGoesHere");
Make sure your javascript works first before using it here!
Actually to access your page javascript space, you need to get the real window of your page : this.browserbot.getUserWindow()
See this statement to get the jQuery entry point in your page (if it has jQuery of course ^^ )
https://stackoverflow.com/a/54887281/2143734