I'm trying to use Douglas Crockford's ADsafe library.
I thought it is supposed to restrict the JavaScript that can be used, but it seems to be letting dangerous calls through, such as eval().
Here's an example of the sandbox not restricting anything:
<html>
<head>
<title>ADsafe Widget Template</title>
</head>
<body>
<script src="adsafe.js"></script>
<div id="WIDGET_">
<script>
ADSAFE.go("WIDGET_", function (dom, lib) {
"use strict";
//
// ADsafe is allowing these to execute!!
//
window.alert("window.alert is working :(");
eval('window.alert("hello from eval")');
window.location = "http://www.google.com";
});
</script>
</div>
</body>
</html>
Does anybody know how the ADsafe sandbox is supposed to work?
As far as I can tell, ADsafe does not actually check your code for these violations. You are expected to use JSLint with ADsafe options enabled, to parse any untrusted JavaScript and verify that there are no ADsafe violations, before using it.
Anyone, please correct me if this is wrong.