Hanjst hanjst improved + ensafeexpression security expression and so on


Hanjst hanjst template language and template engine, recent continuous improvement and upgrading.
This improvement mainly increases the compatibility of security output expression. Since it involves the balance and trade-off between the efficiency of software development process and the efficiency of software operation, a few more sentences are written to describe the thinking process of weighing advantages and disadvantages. Last update: hanjst hangster upgrade + showimageasync and performance improvement ( https://ufqi.com/blog/hanjst-… )We hope that hanjst will mature and stabilize as soon as possible.

1. Problems and background

When the hanjst template language parsing engine is written, the strict mode ( https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Strict_ If the writing is not strict, it will occasionally throw an exception error warning. The reason for this requirement is that hanjst hangister can be used in some key areas and harsh posts to eliminate abnormal errors in the programming stage by using JavaScript for strict mode.

Let the exception occur at compile time, and then be solved, belongs to the programming language quasi compiler type. This is a good thing, because hanjst is not only used in general information websites, but also used in e-commerce, finance and other fields. It is a necessary step to strictly check the grammar of hanjst.

However, this also has disadvantages, that is, the development is time-consuming, need to consider various situations, repeatedly test the software behavior under various scenarios, which will not increase the development cost. For example, the common error report in strict mode: undefined variables and access objects are undefined. Error information can be displayed and output more humanized in hanjst. Refer to: hanjst + update and upgrade: error reporting, innerloop and loading layer, https://ufqi.com/blog/hanjst-…   。

If the docking system is in a non critical field and a demanding position, can some active compatibility be carried out for such variables that appear repeatedly without defining or accessing undefined objects? This is to examine this issue.

2. Solutions and methods

There are roughly two ways to investigate this problem: 1) when compiling the template, remove the strict mode of JavaScript, so as to avoid the similar undefined variables and accessing undefined objects; 2) the second way is to keep strict Mode makes some local fine-tuning on the premise to make it compatible with these low-level errors. It also keeps strict checks on other syntax pairs.

It is obviously impossible to remove the strict mode in the general direction, which will essentially shake hanjst’s positioning in key areas and demanding posts. This should not be discussed. Enabling strict mode for compile time syntax checking is necessary for serious software.

In JavaScript, it is easy to detect whether a variable is defined or not. Using a typeof pair instruction, you can determine whether a variable is defined. If we check every variable before output, we will obviously fall into the irrational state of “one person is ill, and the whole country takes medicine”, which is one of the reasons why previous attempts were stopped.
Therefore, if you want to enable the detection of variables, you need to have some mechanism to perceive the variables that have been defined.

In addition, if you do not use JavaScript Eval and other high-risk pair functions, how to perceive whether the pair variable represented by a string is defined? Use built-in object function to build anonymous functions? If the anonymous function is anonymous, its separate variable scope is significantly different from the actual running environment of the variable, how to operate?

Third, in the template language, we allow access to the properties of objects. Such objects may be global variables or local variables of the runtime environment. Such objects may be one-dimensional hash data list or multiple hash nesting. There may be data objects of the first dimension that have been defined, while the second and third dimensions are undefined If it is undefined, it is possible to throw an exception.

The problem is further divergent as follows:
1) Continue to enable strict mode,
2) In the case of 1), the access compatibility of undefined variable and undefined object pair is realized;
3) Try not to use high-risk functions, such as eval;
4) Guarantee 2) in all cases, all variables can not be operated compatible regardless of the situation;
5) It is necessary to distinguish between global variables and local variables;
6) It is necessary to distinguish one-dimensional object from multi-dimensional object, and it is better to be compatible in all cases.

After a hard exploration, the following measures are taken in the case of trying to find both fish and bear’s paw
1) Use typeof to generate a JavaScript statement whether the variable to be executed is defined or not;
2) A list of environment variable assignment statements is added to detect whether a variable is explicitly defined;
3) Use window.hasOwnProperty Detect whether a global variable is defined;
4) Decompose multidimensional data objects recursively, such as & dollar; alit [& dollar; AK1] [& dollar; ak2] [& dollar; ak3]

Based on the above analysis, the Hanjst.js New in_ The ensafeexpression function is used to check the security of variables and objects for the output.

3. Sample demonstration

{& dollar; a = 1} – > similar statements are registered as the variable has been explicitly declared;

{\ $a} – > ((type of & dollar; a = =’undefined ‘)? “: \ $a), output the & dollar; a pair of statements that are not defined, will be rewritten as the expression of the ternary operator;

&Dollar; alit [& dollar; AK1] [& dollar; ak2] [& dollar; ak3] – > & dollar; alit [& dollar; AK1], & dollar; alit [& dollar; AK1] [& dollar; ak2], decompose the 3D data to be output step by step to form two variables / objects to be detected, and then construct them respectively. The expression of ternary operator is used to form layer by layer detection from top to bottom
((typeof $aList[$ak1] == ‘undefined’) ? ” : ((typeof $aList[$ak1][$ak2] == ‘undefined’) ? ” :$aList[$ak1][$ak2][$ak3]))

More dimensional data objects, and so on.

4. Others

The version number is upgraded to V1.7, + some other minor optimization adjustments,

A simple question is not simple at all. I have to feel shallow in the end on paper. I absolutely know that we have to practice it. A small task, variable output before active security check, incredibly nagging to write about 2000 words.

After all, hanjst hangster is pursuing the art of balance, pursuing perfection and perfection.


Hanjst hanjst improved + ensafeexpression security expression and so on

Hanjst hangster is a template language and template parsing engine based on JavaScript. It runs on the client or server side.

Hanjst hanjst can express logic control and realize the same powerful functions as server-side template language.

  • Hanjst saves computing resources on the server side when parsing completely on the client side;
  • Hanjst template language independent, does not do any binding with server-side resources;
  • Pure MVC, data between layers is transmitted in JSON format;
  • Common template languages are fully supported with complex and powerful JavaScript programming capabilities;
  • No learning cost, using JavaScript to write template language directly;
  • ….

Hanjst is a JavaScript-based templating language and parsing engine that runs on both the client-side and/or server-side.

Hanjst can express logical controls and achieve the same functionalities as the server-side templating languages.

  • Hanjst’s Run-time in client-side, reduce computing render in server-side;
  • Hanjst is Language-independent, not-bound with back-end scripts or languages;
  • Totally-isolated between MVC, data transfer with JSON;
  • Full-support template tags with built-in logic and customized JavaScript functions;
  • No more tags languages to be learned, just JavaScript;
  • ….

    In the past two days, I have created two articles in succession, which is also a rare behavior in the history of blog writing. Another article written in the same period: deposit interest rate, loan interest rate and negative interest rate https://ufqi.com/blog/captial… 。


Recommended Today

Regular expression sharing for checking primes

This regular expression is shown as follows: Regular expressions for checking prime numbers or not To use this positive regular expression, you need to convert the natural number into multiple 1 strings. For example, 2 should be written as “11”, 3 should be written as “111”, 17 should be written as “11111111111”. This kind of […]