Scenario 1 - Block JavaScript
JavaScript is one of the major areas where Sandbox security can be blown away. We have a major problem where the SharePoint 2010 Client Object Model allows javascript calls to be made to the SharePoint 2010 API. This doesn't run through the restricted SharePoint 2010 Sandbox APIs, and doesn't get limited through resource quotas so it is very powerful .. as you can drop any scripts you like onto any page you like (and they run using the current user's context) this also makes them extremely dangerous!

So .. how does CKS:Sandbox help you with this?
  • Blocked File Types - By blocking the file extensions for known javascript file types (such as JS) if any files with those extensions are found in the solution package then they will be blocked and an error message shown to the users.
  • RegEx expression Matching - You can specify any RegEx as a validation rule. The validator will then convert each file in the Solution Package (except for DLLs) into both ASCII and Unicode encoded text, and perform a RegEx match. If any matches are found then the solution will be blocked!
  • String Wildcard Matching - If your RegEx isn't up to scratch don't worry .. you could instead specify a text string using wildcards, such as "<script*</script>". This will then be automatically converted into a RegEx expression (for efficiency) and use the same matching as the RegEx validator above.

Note - At this point JavaScript outputs from managed code in DLLs would still work .. if you are really concerned about this then block by Public Key Token or Solution ID

Last edited Jul 12, 2011 at 3:56 PM by MartinHatch, version 4


No comments yet.