Simple, secure scripting language implemented in JavaScript? [closed]

Closed. This question does not meet Stack Overflow guidelines. It is开发者_运维百科 not currently accepting answers.

---

We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.

Closed 6 years ago.

Improve this question

I would like to implement a scripting language to assist in partially automating certain tasks on a public wiki. I cannot install anything such as Google Caja on the server or modify the wiki software itself, but I can install JavaScript code for client-side execution. Because my intent is to allow ordinary users to create and post scripts, using JavaScript itself is insecure and could lead to account compromises.

Does such a scripting language implementation exist, or if not, is it relatively easy to create? My focus is on ease of text processing, Ajax requests, and implementation.

Here is an example task a script would need to perform, taken from Wikipedia's procedure for requesting article deletion:

1. Ask the user for the name of a wiki page and a good reason to delete it.
2. Get that page's source code, add a deletion notice to the top, and save the new text.
3. Create a new page (its name based on the first page's name) that includes the reason for deletion.
4. Get the list of users who edited the page and notify the first one (again, by editing a specific page) that the page he created is about to be deleted.

---

Here's an implementation of Tcl in javascript: Tcl in Javascript.

Here's the source: tcl.js.

And here's code implementing a live console in your browser to play with: A little tcl.js console

Tcl may not be your cup of tea but the implementation looks fairly simple straightforward. This is mainly because tcl itself is such a simple language. You can use it to get ideas on how to implement variables and functions.

Hint: in tcl, control structures are functions so look at where built-in functions are implemented to see the implementation of for, while and foreach.

---

Douglas Crockford's ADsafe is supposed to be a secure subset of JavaScript.

It consists of a runtime library (~20 KB minified) and a verifier (included in JSLint). If Crockford were to drop "The Software shall be used for Good, not Evil" from the license, both components would be GPL-compatible open-source programs.

Because JSLint is a JavaScript program, it can verify user scripts entirely within the web browser. This is in contrast to Google Caja, which is written in Java.

---

You could just sandbox; that is, scope in a couple of key variables so that the user's code is unable to access unsafe objects.

var execSandboxedJS = function (jsCode) {
    var window = document.getElementById('myRootElement');
    var document = window;
    eval(jsCode);
};

Though, allowing user code to make ajax requests is, in itself, inherently unsafe. I would reconsider the sanity of the project if that's what's called for.