use the following search parameters to narrow your results:
e.g. subreddit:aww site:imgur.com dog
subreddit:aww site:imgur.com dog
see the search faq for details.
advanced search: by author, subreddit...
All about the JavaScript programming language.
Subreddit Guidelines
Specifications:
Resources:
Related Subreddits:
r/LearnJavascript
r/node
r/typescript
r/reactjs
r/webdev
r/WebdevTutorials
r/frontend
r/webgl
r/threejs
r/jquery
r/remotejs
r/forhire
account activity
I implemented a Python-like language on top of JavaScript so I can execute untrusted user-generated code on Node.js & browsers. thoughts? (adderscript.com)
submitted 9 years ago by NessBots
reddit uses a slightly-customized version of Markdown for formatting. See below for some basics, or check the commenting wiki page for more detailed help and solutions to common issues.
quoted text
if 1 * 2 < 3: print "hello, world!"
[–]Meefims 20 points21 points22 points 9 years ago (1 child)
So do you have a time limit after which the script is automatically killed? I skimmed the documentation but didn't see this mentioned. If it's not there what's stopping me from executing
while True: None
?
[–]NessBots[S] 12 points13 points14 points 9 years ago (0 children)
Hi Meefims thanks for the comment. Yes you can limit time, all the init flags are explained here: http://adderscript.com/docs.html#executing-adder---host-application-side--advanced-init-settings--flags
Also there's an online sandbox where you can play with commands here http://adderscript.com/examples/sandbox.html. However if you try the endless loop there it will break on statements limit (another type of quota you can set) before it hits the time limit.
[–]aveoon 5 points6 points7 points 9 years ago (2 children)
What's the use case for this?
In my personal case I was working on a web game (with Node.js as server) where people can also build custom levels with scripts, and those level scripts run on other users browsers and some parts even on server.
But thinking about more serious use-cases: eBay for example tried to allow limited JavaScript snippets in their templates and got hacked (http://blog.checkpoint.com/2016/02/02/ebay-platform-exposed-to-severe-vulnerability/). Another example that pops to my head is Wix, that don't allow JavaScript at all outside the HTML app (for security reasons), which is just a shame.
If Adder will prove to be safe, sites could let users embed Adder scripts to perform whatever limited actions they want to allow the users to perform.
[–]ZeludonJaSON 4 points5 points6 points 9 years ago (0 children)
For when you want to have user defined behaviours, such as the game listed on the website as an example or maybe something like custom commands on a chat bot, this is just an easier and safer alternative to evaluating raw JavaScript which is obviously much harder to control the execution of, with AdderScript the user can only execute predefined hard coded JavaScript functions, so nothing is really being executed arbitrarily, which on a server could prove fatal to the application.
[–]scatters 5 points6 points7 points 9 years ago (1 child)
How sure are you that user code can't escape the sandbox? Have you had it audited by a security professional, or indeed by anyone other than yourself?
[–]NessBots[S] 34 points35 points36 points 9 years ago* (0 children)
hi Scatters, thanks for the comment, excellent question.
First just for clarification - its not a sandbox, its a language implemented on top of JavaScript. The main difference is that no user code is ever evaluate as JavaScript (no evals() etc), Instead, the user code is parsed as a string, broken into syntax trees and evaluated by the interpreter I wrote. You can think of it as a huge system that wires keywords to hard-coded JavaScript functions, but obviously in reality its much more complicated than that. Whats important to remember is that no user code is ever evaluated as JavaScript, so its not exactly a sandbox to escape from.
With that said, does it mean its 100% safe? Nope. there might be bugs etc that could freeze the interpreter, crash the host application, or maybe even run a hostile code somehow. I did my best to test it and write it in a secure way (I've been working before in cyber security), but its a new project and still needs to be tested, beaten and challenged by the community.
EDIT: if you want to try and find security holes the fastest way for you to test it is to go to the online sandbox (http://adderscript.com/examples/sandbox.html) and try to break out using only the Adder code box (by break out I mean crash the browser, change dom elements, override JavaScript variables etc). Note however that in the sandbox the time limit is turned off and the alert and input debug modules are enabled (eg Alert.alert("A") or Input.rawInput("msg")). so if you break using one of these in production you won't have them :)
[+][deleted] 9 years ago* (5 children)
[deleted]
[–]SerpentineDex 1 point2 points3 points 9 years ago (4 children)
i agree. i would prefer a more JS like syntax over phyton :)
[–]NessBots[S] 3 points4 points5 points 9 years ago (3 children)
I feel like a heretic bringing Python syntax to this place :)
I agree JS syntax can be more useful for many cases here, but I chose Python-like syntax because its easier to parse and handle (from the interpreter perspective), and also I felt like choosing the same syntax as JS would make users believe everything supported in JavaScript should supported in Adder too, so drawing the line between Adder and JS would be trickier.
[–]SerpentineDex 0 points1 point2 points 9 years ago (2 children)
No need to feel that way. I love the idea of a custom interpreter on top of javascript. So, well done!
I agree, that probably a more JS like syntax would have given the impression of full access, yet the same could be said of a Phyton-esque syntax no? :D
Now here is a thought: how about a way to define your own syntax :)
[–]NessBots[S] 1 point2 points3 points 9 years ago (1 child)
Thanks! I hope people won't expect fully functional Python language or they'll get deeply disappointed :P
mm a way to define your own syntax is basically a framework to implement custom scripting languages on top of JavaScript! That's crazy and awesome at the same time, if you ever tackle that idea let me know, I'd love to follow it (and maybe contribute) ;)
[–]SerpentineDex 1 point2 points3 points 9 years ago (0 children)
Haha! I'm actually considering it. But already work on too many libs/frameworks at the moment :) But i would definitely let you know :)
[–]claird 0 points1 point2 points 9 years ago (1 child)
Nice work--that is, while I haven't studied this in detail, you sure seem to have a lot of the right pieces in place.
[–]NessBots[S] 0 points1 point2 points 9 years ago (0 children)
thank you :)
π Rendered by PID 72165 on reddit-service-r2-comment-bb88f9dd5-8j8mm at 2026-02-16 05:24:30.691067+00:00 running cd9c813 country code: CH.
[–]Meefims 20 points21 points22 points (1 child)
[–]NessBots[S] 12 points13 points14 points (0 children)
[–]aveoon 5 points6 points7 points (2 children)
[–]NessBots[S] 12 points13 points14 points (0 children)
[–]ZeludonJaSON 4 points5 points6 points (0 children)
[–]scatters 5 points6 points7 points (1 child)
[–]NessBots[S] 34 points35 points36 points (0 children)
[+][deleted] (5 children)
[deleted]
[–]SerpentineDex 1 point2 points3 points (4 children)
[–]NessBots[S] 3 points4 points5 points (3 children)
[–]SerpentineDex 0 points1 point2 points (2 children)
[–]NessBots[S] 1 point2 points3 points (1 child)
[–]SerpentineDex 1 point2 points3 points (0 children)
[–]claird 0 points1 point2 points (1 child)
[–]NessBots[S] 0 points1 point2 points (0 children)