String manipulation reference/possibilities for Application Studio

Yep, although that still doesn’t make any sense. People see security issues where there are none.

No different than code I do in the classic client now.

Really? eval() functionality exists across many programming languages, and to the very last one, its use is discouraged because exploits have appeared EPECIALLY when one does not have 100% full control of the expression executed. This means pretty much every web application out there is dangerous if there is any possible way the user can manipulate the expression, which in a browser, is trivial.

JavaScript

Python

PowerShell

Ruby

PHP

PERL

Bad things can happen when we use shortcuts to get things done quickly…

image

The Open Web Application Security Project calls Dynamic Code Evaluation a type of Command Injection attack.
https://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection

Which one may argue hasn’t been secure either - all of our code, not yours per se. This might be why we’re seeing movement on what we will be able to do in the future. I know, I know, Programming is an art…

documentary now GIF by IFC

1 Like

This pretty much sums up Application Studio :rofl:

3 Likes

Yes, really. But also, no. I’m sorry my full point wasn’t clear. I don’t think we are that far apart.

I’m not a fan of eval at all.

My full point was more along the lines of, do not enforce security at the client side. If I can manipulate the code on the front end and bypass security, I’m already in.

I believe we need to be able to inject js into the screen, for advanced scenarios, but in a sandboxed sanctioned way, not using a string from a field etc.

Anything I can do in eval is moot, if I can just manipulate the dom and do the same things.
Do I want eval? Not really. I want a place where I can inject js from the backend.

exploits_of_a_mom

2 Likes

Oh, we’re not. But you’re a very trusted person on this site and if a passerby sees:

It doesn’t contain the nuance that I know you have. That’s all.

1 Like

You are absolutely right, which is why I typed it out.

Spider Man Great Responsibility GIF

1 Like

And I’m not as responsible as the better coders here!

:rofl:

2 Likes