September 2, 2010

ixSci ixSci
Lab Rat
206 posts

Disable JavaScript execution in QML

 

Is it possible to disable all of the script execution inside the QML?
It may be need to secure GUI plugins which vendor may allow to create for end users with the QML help. But this opportunity will be annihilated if there is no method to forbid execution of random code in QML.

2 replies

September 6, 2010

Thomas Zander Thomas Zander
Lab Rat
224 posts

QML without javascript is like a painting without colors; its going to not be very interesting for most usecases.

Moving code to the client either in javascript or in compiled C++ form should be similarly attacked; you need your security before a 3rd party’s code lands on your target device.

Disabling javascript is not going to give you the security you want.

September 7, 2010

ixSci ixSci
Lab Rat
206 posts

Perhaps we have some GUI element which we draw with QML help. Suppose it has edit fields for private user data. If there is no JavaScript QML is still useful because every user can write its own QML and have some pretty GUI element. But if JavaScript is turned on then some malicious man can integrate information stealing and many other disastrous things. It can even have privilege elevation at the worst case!
No one can do the same thing with already built C++ code with an acceptable cost.

 
  ‹‹ A bug in Qt’s flash rendering using the flash plugin      QSqlQuery and ORACLE style value binding ››

You must log in to post a reply. Not a member yet? Register here!