1. If the global variables were allowed, then attackers could even replace
the default implementation of string/array or anything eles you can image,
then inject it to the global environment, you would be attacked by simply
using array in your js bundle. Encoding/Decoding JS is not helpful here.
2. You probably could solve the problem in a different way. The
navigator.push() in Weex didn't support any parameters, but you can
implement your own navigator modules that supports parameters,
1. Create an API like *nav2.push(argsA) *, *nav2.pop(argsB).*
2. Implement it in Java Code. You coud always execute a JS code in Java
by calling execJS()
3. Just invoke nav2 in your JS code.
Actually, you could make the implementation of navigator in Weex better,
and I am happy to review and merge your code.
Best Regards,
YorkShen
申远
黄天宁 <zsmj...@gmail.com> 于2020年3月3日周二 上午9:43写道:
> Yeah,i get your mean(For security, i encode js bundle with XXTEA in OSS,
> and download/decode js bundle before SDKManager.render() )。
> And in fact,broadcastChannel is content with the need of business.
> But it not *the best/most easy way to deal with neighbour pages*,especially
> the second page will back to the first page with a obj param。(such as:bank
> detail page(click the bank) => bank list page(choose a bank) = > back to
> bank detail page(with bank info param))
>
> Because of lazy,i wrote an Js API for more convenient in the scene:
>
> /* global Date */
> Date.$PUSH_UUID = Date.$PUSH_UUID || 0
> Date.$PUSH_CALLBACK_CENTER = Date.$PUSH_CALLBACK_CENTER || {}
>
> function $push(path, params, callback) {
> const isWeexPage = path.indexOf('weex/page/') >= 0
> const hasCallback = typeof callback === 'function'
>
> if (!isWeexPage && hasCallback) {
> log('Warning', 'Only pushing to a Weex page support a callback!')
> }
>
> const puuid = (isWeexPage && hasCallback) ? (++Date.$PUSH_UUID) :
> undefined
> const finalUrl = url.join(toLink(path, DefaultScheme), params, puuid ?
> { puuid } : undefined)
> native.push(finalUrl)
>
> if (puuid) {
> Date.$PUSH_CALLBACK_CENTER[puuid] = callback
> this.$on('hook:destroyed', () => Date.$PUSH_CALLBACK_CENTER[puuid]
> = undefined)
> }
> }
>
>
> function $pop(v) {
> native.pop()
> const root = getRootVM(this)
> const puuid = root.params.puuid
> if (puuid) {
> const callback = Date.$PUSH_CALLBACK_CENTER[puuid]
> Date.$PUSH_CALLBACK_CENTER[puuid] = undefined
> if( typeof callback === 'function') callback(v)
> }
> }
>
> it is useful and very convenient。
> A=>B : $push(url, params, (v)=>{ //do callback })
> B=>A: $pop(obj)
> Then the callback(from A) will invoke with obj(from B).
> *The only premise is the Date is a global object in Js Environment for each
> weex instance。*
>
> 申远 <shenyua...@gmail.com> 于2020年3月2日周一 下午11:33写道:
>
> > Well, It seems like you could use broadcastChannel [1] to send message
> (not
> > callback) among pages. If this is not enough, you have to use low level
> C++
> > api to implement it by yourself, which is hard to write and not
> encouraged.
> >
> > A message among pages is not enough in your case? I'd like to here the
> > detail.
> >
> > FYI: Apache Weex excludes global JS object for security reasons. A
> > malicious hacker could inject a JS snippet containing dangerous function
> > just by loading his URL in Weex. If global JS object is supported, it's
> > very easy for you to excute the JS function provided by malicious hacker
> in
> > your page. That's reason we design Sandbox. And I'd encourage every
> > developer keeping if for security reason.
> >
> > [1] https://weex.apache.org/zh/docs/api/broadcast-channel.html
> >
> > Best Regards,
> > YorkShen
> >
> > 申远
> >
> >
> > 黄天宁 <zsmj...@gmail.com> 于2020年2月28日周五 上午10:17写道:
> >
> > > OK, i get it. Thanks!
> > > But it is a shame. Both ways are not enough for me. (first is not
> > > suitable,second can not save JS callbacks in Native)
> > > I want a global object in JS, none of Native business.
> > > I use a way like Eventbus for communication between neighbour pages
> > > instead.
> > >
> > > Before Sandbox,I realize an api for *neighbour pages*:
> > >
> > > pagaA push to pagaB witch a *callback((v)=>{})* and *increased
> pushId*,
> > > pushId && callback both saved in *global* *Date().$CALLBACKS/*
> > > *Date().$PUSHID.*
> > > pageB get *pushId* from params. When pageB *pop(v)*, *search callback
> by
> > > pushId* in global Date().$CALLBACKS.Then inoke *callbakc(v).*
> > >
> > > It is a very useful api , and the scene is frequent in business
> > > for neighbour pages, which need pageA invoke callback after back from
> > > pageB with params.
> > >
> > > By the way,I find a terrible bug in Jsfm in Android。And i try to find
> the
> > > reason and solve it
> > > When the type of *inputValue * is *number,*, which *bind with*
> Component
> > > <input> *property value*。*Precision problem* will happen to*
> > inputValue* .
> > > For example, input 2.5 will show 2.50000, if change *inputValue* to
> > > *string*,
> > > the error disappear.
> > > The behaviour in IOS is all right.
> > >
> > >
> > > 申远 <shenyua...@gmail.com> 于2020年2月27日周四 下午5:49写道:
> > >
> > > > The answer is no, and you should never consider using Weex without
> > > sandbox.
> > > >
> > > > You could however,
> > > > 1. use boradcastChannel [1] for communication between pages
> > > > 2. or use JS service [2] for vendor.js, which is very similar to
> global
> > > > object.
> > > >
> > > > [1] https://weex.apache.org/zh/docs/api/broadcast-channel.html
> > > > [2] https://weex.apache.org/zh/docs/api/js-service.html
> > > >
> > > > Best Regards,
> > > > YorkShen
> > > >
> > > > 申远
> > > >
> > > >
> > > > 黄天宁 <zsmj...@gmail.com> 于2020年2月25日周二 下午4:16写道:
> > > >
> > > > > Dear devs:
> > > > > I'm sorry to disturb you about a question about SandBox in
> both
> > > > > aos/ios.
> > > > > In some case, developer need a global Object to save/share
> > > something
> > > > > for different pages with JS callback,which can not save to Native
> > > > > SharedPreference.
> > > > > *1.In sandBox mode, is there a global Object for mounting?*(It
> > > looks
> > > > > none, from the doc on website :
> > > > > *In particular, the Vue variable are different in each pages, and
> > > even
> > > > > the "global" config of Vue (Vue.config.xxx) only affect the single
> > page
> > > > on
> > > > > Weex.*
> > > > >
> > > > > Android SDK can switch to *unuse sandbox mode*, but IOS SDK
> > looks
> > > > > none.
> > > > > *2.IOS is not just like Android,which is without the selection
> > > > > of isSandBox.*
> > > > > Little understand in C++ sandBox. If you have free time,give
> me
> > > some
> > > > > pointers,plz.
> > > > >
> > > > > Thanks!
> > > > >
> > > >
> > >
> >
>
