Can we make custom oneboxes?


(Joseph Orbegoso Pea (Joe Pea)) #1

I’d like to embed a jsfiddle in a conversation. How can we do that?

The iframe embed code looks like:

<iframe width="100%" height="300" src="//jsfiddle.net/trusktr/32cnvse3/embedded/" allowfullscreen="allowfullscreen" frameborder="0"></iframe>

(Rafael dos Santos Silva) #2

Codepen is whitelisted by default:

Maybe we can test jsfiddle, let me check.


(Sam Saffron) #3

The big thing that needs testing is that there is 0 JS execution prior to a user clicking “run”. We can not risk people setting up JavaScript bombs.


Jsfiddle-like embeds?
(Mittineague) #4

Yes, at SitePoint we onebox codepens, but fiddles are only linked to.

It works well, and so far, AFAIK hasn’t introduced risk.


(Joseph Orbegoso Pea (Joe Pea)) #5

What are those? Something that makes the CPU work 100%?


(Sam Saffron) #6

Well unrestricted JS can lead to an enormous class of issues, leaking confidential info via JSONP, high CPU when you hit a topic, trick users into thinking the page has information on it that is fake, phishing, the sky is the limit.


(Mittineague) #7

For a simple harmless example that is more representative of a common JavaScript newbie mistake than a malicious script, try running this and see how well you like it

for (var i = 0; i < 1000; i++) {
 alert(i);
}

My bet is you close your browser or stop scripts well before it completes.


(Joseph Orbegoso Pea (Joe Pea)) #9

What exactly is different about codepen compared to jsfiddle that makes only codepen embeddable? Can’t both run javascript, and don’t both run in a iframe?


(Rafael dos Santos Silva) #10

(Joseph Orbegoso Pea (Joe Pea)) #11

Testing codepen bomb attempt:


(Joseph Orbegoso Pea (Joe Pea)) #12

Well, apparently codepen iframe embed doesn’t work.

How about HTML:

See the Pen JS Bomb Example by Joseph Orbegoso Pea (@trusktr) on CodePen.


(Joseph Orbegoso Pea (Joe Pea)) #13

Nope. How about URL:

https://codepen.io/trusktr/pen/JNzzKQ


(Rafael dos Santos Silva) #14

Like all oneboxes, you are supposed to paste a link on a line by itself.

And as you can see it doesn’t run until clicked.


(Joseph Orbegoso Pea (Joe Pea)) #15

Interesting, and I don’t see the result (infinite while loop that alerts).


(Rafael dos Santos Silva) #16

It’s blocked by the sandbox for iframes since Chrome 46.


(Joseph Orbegoso Pea (Joe Pea)) #17

If we click “Edit on codepen” then it runs the code for the first time without the infinite loop detection!


(Joseph Orbegoso Pea (Joe Pea)) #18

codepen console.log bomb:

https://codepen.io/trusktr/pen/oWVVqb


(Rafael dos Santos Silva) #19

But then you are on the codepen website right? What does this has to do with Discourse?


(Joseph Orbegoso Pea (Joe Pea)) #20

Nothing unless the whole browser crashes. x} Probably Chrome won’t crash, but maybe some other browser?

Testing document.write bomb:

https://codepen.io/trusktr/pen/WjmmJJ


(Rafael dos Santos Silva) #21

Use try.discourse.org for testing, meta is for discussions.