found code skeleton, with 1 and 2 character whitelists (can be longer)
cocurrent 'jon'
NB. can't have all 3 @[& if you want to forbid ^:
NB. should run in context that limits space and time.
safe1 =: '''_0123456789+*-<>|;,#{}()]~'
safe2 =: 'u:';'x:';'}.';'}:';'" ';'":';'! ';'$ ';'= ';'^
';'^.';'a.';'a:';'L.';'L:';'j.';'i.';'i:';'$.'
issafe1d =: safe1 e.~ {. &>
issafe2d =: safe2 e.~ 2&{. each
isSafe =: *./@:(issafe2d +. issafe1d)@:;:
noevoke =: 3 : '*./ 2 (('''''''' -: {.@:>@:{.) *: (<,''~'') -: {: )\ ;: y'
NB. noevoke =: *./@:( 2&(('''' -: {.@:>@:{.) *: (<,'~') -: {: )\)
doSafe =: 0 0&$`(0 0&$`"[email protected])@. noevoke
doSafed =: 3 : 0
o =. doSafe y
if. o = i.0 0 do. w=. ;: y
o =. 'terms not safe1' ; (] #~ -.@:issafe1d) w
o , 'terms not safe2' ; (] #~ -.@:issafe2d) w return. end.
o
)
JOFF_z_ =: doSafe_z_ =: doSafe_jon_
lr_z_ =: 3 : '5!:5 <''y'''
On Tuesday, February 18, 2020, 07:10:06 p.m. EST, 'Pascal Jasmin' via
Programming <[email protected]> wrote:
you can sanitize to white listed functions. I think I've posted this before,
but cannot find the code. The basics are J primitives, and select foreigns
without allowing assignment. J can self tokenize a sentence with ;:
On Tuesday, February 18, 2020, 03:17:23 p.m. EST, 'Jim Russell' via Programming
<[email protected]> wrote:
Does the "do" approach involve risks like SQL injection risks? How does one
ensure that a user response doesn't include malicious J code?
> On Feb 18, 2020, at 1:34 PM, PMA <[email protected]> wrote:
>
> Bob, Jimmy, Pascal --
> Just plain old Do fercrisake.
> Omg, I feel like an idiot!
> (Happy, o'course)
>
> See, I'll be using the quotes in one string
> as the var NAME that this function's output
> will be assigned to. A little cumbersome,
> but hey...
>
> Thanks again!
> Cheers back!!!
> Pete
>
>> On 02/18/2020 12:27 PM, 'robert therriault' via Programming wrote:
>> Hi Pete,
>>
>> Are you looking for ". (Do)
>> https://code.jsoftware.com/wiki/Vocabulary/quotedot
>>
>> ".'1 + 1'
>> 2
>> FUNCTION=: 4 : 0
>> smoutput x NB. output x string
>> smoutput y NB. output y string
>> x +&". y NB. Using + as the dyadic verb placeholder, equivalent to (". x)
>> + ". y
>> )
>> '1+1' FUNCTION '2+2'
>> 1+1
>> 2+2
>> 6
>>
>> Cheers, bob
>>
>>>> On Feb 18, 2020, at 09:10, PMA <[email protected]> wrote:
>>>
>>> This question must be too clueless to ask,
>>> but two hours with NuVoc leaves me still
>>> wondering --
>>>
>>> I need to write a function invocation with
>>> its numeric x and y each in quotes as TEXT:
>>>
>>> '1+1' FUNCTION '2+2'
>>>
>>> I want the function then, after displaying
>>> x and y, to remove their quotes and execute
>>> their innards.
>>>
>>> What (a primitive, I assume!) will convert
>>> each quote to an executable expression?
>>>
>>> Thanks in advance.
>>> Sorry to test your patience!
>>> Pete
>>> ----------------------------------------------------------------------
>>> For information about J forums see http://www.jsoftware.com/forums.htm
>>
>> ----------------------------------------------------------------------
>> For information about J forums see http://www.jsoftware.com/forums.htm
>>
> ----------------------------------------------------------------------
> For information about J forums see http://www.jsoftware.com/forums.htm
----------------------------------------------------------------------
For information about J forums see http://www.jsoftware.com/forums.htm
----------------------------------------------------------------------
For information about J forums see http://www.jsoftware.com/forums.htm
----------------------------------------------------------------------
For information about J forums see http://www.jsoftware.com/forums.htm
