Returning dynamic scripts from helpers


#1

Is it possible to return a script from a helper?

myhelper() {
    return '<script>let i=0;</script>';
},

I notice that I can return an iframe from a helper and it will run the iframe’s src script, but it seems that when I return a script from a helper, the whole script gets stripped out.

If it were possible, I could then generate javascript code dynamically and include the resulting script in my pages. Javascript writing javascript!


#2

It is IMO a great thing that script is stripped out by default because this is THE MOST BASIC XSS vulnerability ever.

If you are not familiar with XSS you may start reading here: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

By understanding what could possibly go wrong (Murphy’s Law is strong when it comes to XSS…) you may rethink your approach of allowing dynamic inserts of script and js code.


#3

Of course XSS Is only an issue when the included scripts are written by an outsider. The goal in my case is to pull in and execute dynamic scripts written by the development team and stored in the DB, not the source code.


#4

I hope it did not sound lecturing, I interpreted your question as if you were not aware about XSS.

I searched the Blaze repo and it looks that script tags from string are omitted because of being not implemented.

Is there a reason why dynamic imports are no solution to you? They were built to obtain scripts dynamically from the server.

The alternative would be to use jQuery


#5

thanks for your feedback. I’d like to upload new scripts that could be used without rebuilding the site. Simplified, pages would have their own script they pull from the db. and you could replace the scripts on the fly by editing the db record through the u/i.