JavaScript™ Security
The dojox.secure library is used to restrict the JavaScript™-provided clients to a safe sandbox so they cannot do anything malicious. However, this imposes a number of limitations.
- Use of eval, with, ==, !=,
and the subscript operator [] are not allowed.
- Instead of == use ===
- Instead of != use !==
- Instead of the [ ] operator, use the forEach(), get(index), and set() functions provided.
- Usage of the this keyword is not allowed:
- For item level events, the keyword item is used in place of the this keyword.
- For page level events, the keyword page is used in place of the this keyword.
- For form level events, the keyword form is used in place of the this keyword.
- Limited access to global variables. Details are provided in the following section.
- These properties might not be used: apply, arguments, call, callee, caller, constructor, eval, prototype this, unwatch, valueOf, watch, and any property beginning or ending with __.
Security
Variable | Description |
---|---|
element | This the root element of the sandbox. Sandboxed elements do not have access to relational properties such as parentNode, firstSibling, nextSibling, etc. You can still use DOM methods and string properties like innerHTML. The style object can also be used, accessed, and modified. |
document | This is a sandboxed document object that provides node creation and basic element searching facilities. The sandboxed document provides the following methods: getElementById, createElement, createTextNode, and write. |
- isNaN
- isFinite
- parseInt
- parseFloat
- escape
- unescape
- encodeURI
- encodeURIComponent
- decodeURI
- decodeURIComponent
- alert
- confirm
- prompt
- Date
- RegExp
- Error
- Number
- Math
- setTimeout - This only accepts a function, not a string.
- setInterval - This only accepts a function, not a string.
- clearTimeout
- clearInterval
Function | Description |
---|---|
get(obj,prop) | This is a special function to handle accessing properties in lieu of the [] operator. Calling get(obj,prop) is equivalent to obj[prop]. |
set(obj,prop,value) | This is a special function to handle modifying properties in lieu of the [] operator. Calling set(obj,prop,value) is equivalent to obj[prop]=value. |
forEach(obj,func) | This is a special function to iterate through all the properties in an object, or items in an array. For each item, the func function is called with the item as the first argument, the index as the second object, and the obj as the third object. |
- mixin
- require
- isString
- isArray
- isFunction
- isObject
- isArrayLike
- isAlien
- hitch
- delegate
- partial
- trim
- connect
- disconnect
- subscribe
- unsubscribe
- Deferred
- toJson
- fromJson
- style
- attr
- query - This only searches within the sandbox.
- byId
- body - This returns the root element of the sandbox.
Disabling JavaScript™ Security
Under some circumstances, the limitations imposed by the dojox.secure library might be too restrictive. Therefore, the dojox.secure library can be disabled server-wide by editing a Java™ properties file called Leap_config.properties in the FSP extensions directory (C:\HCL\Leap\extensions on Windows™, /opt/HCL/Leap/extensions on Linux™). Set the value of the ibm.nitro.ApplicationCompilerService.secureJS key to false. Once the properties file is changed, the HCL Domino Volt server should be restarted to ensure that the configuration takes effect. For more information, see Configuring the properties file.
Changing this configuration setting should only be done if all the Domino Volts on the server are known trusted users. Disabling JavaScript™ Security on a deployment of the Domino Volt that allows anonymous users to create applications could pose a serious security risk.
It should be noted that this configuration only applies to applications that are deployed after making this configuration change. Applications that are deployed before this configuration change must be redeployed for the configuration to take effect.