Sandboxing and parsing jQuery in 100ms

gaz Heyes gazheyes at gmail.com
Thu Mar 21 03:58:28 PDT 2013


Hi all

I thought I'd share an update of my mental js work. I have since reduced
the parse time of mental and now added a DOM sandbox that uses ES5 to allow
safe manipulation of the DOM. This is so cool because it means that mental
can take control over your dom and then we can choose what we allow. Want
to restrict images to same origin? No problem, want to prevent script nodes
from the ability to call external resources no problem :)

There's a cool demo on modsecurity where they have an injection hole and
inject mental into the response to prevent harmful xss.
http://www.modsecurity.org/demo/demo-deny-noescape.html?test=%3Cscript%3Ealert%28location%29%3C%2Fscript%3E

I managed to get the parse time of jQuery to min of 24ms on chrome, on
Firefox it can parse and sandbox jQuery in about 90ms although there are a
couple of problems with the selectors which I need to debug. Any comments
or suggestions are welcome.

Cheers

Gareth
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20130321/9d3feb57/attachment.html>


More information about the es-discuss mailing list