1. If the global variables were allowed, then attackers could even replace the default implementation of string/array or anything eles you can image, then inject it to the global environment, you would be attacked by simply using array in your js bundle. Encoding/Decoding JS is not helpful here.
2. You probably could solve the problem in a different way. The navigator.push() in Weex didn't support any parameters, but you can implement your own navigator modules that supports parameters, 1. Create an API like *nav2.push(argsA) *, *nav2.pop(argsB).* 2. Implement it in Java Code. You coud always execute a JS code in Java by calling execJS() 3. Just invoke nav2 in your JS code. Actually, you could make the implementation of navigator in Weex better, and I am happy to review and merge your code. Best Regards, YorkShen 申远 黄天宁 <zsmj...@gmail.com> 于2020年3月3日周二 上午9:43写道: > Yeah,i get your mean(For security, i encode js bundle with XXTEA in OSS, > and download/decode js bundle before SDKManager.render() )。 > And in fact,broadcastChannel is content with the need of business. > But it not *the best/most easy way to deal with neighbour pages*,especially > the second page will back to the first page with a obj param。(such as:bank > detail page(click the bank) => bank list page(choose a bank) = > back to > bank detail page(with bank info param)) > > Because of lazy,i wrote an Js API for more convenient in the scene: > > /* global Date */ > Date.$PUSH_UUID = Date.$PUSH_UUID || 0 > Date.$PUSH_CALLBACK_CENTER = Date.$PUSH_CALLBACK_CENTER || {} > > function $push(path, params, callback) { > const isWeexPage = path.indexOf('weex/page/') >= 0 > const hasCallback = typeof callback === 'function' > > if (!isWeexPage && hasCallback) { > log('Warning', 'Only pushing to a Weex page support a callback!') > } > > const puuid = (isWeexPage && hasCallback) ? (++Date.$PUSH_UUID) : > undefined > const finalUrl = url.join(toLink(path, DefaultScheme), params, puuid ? > { puuid } : undefined) > native.push(finalUrl) > > if (puuid) { > Date.$PUSH_CALLBACK_CENTER[puuid] = callback > this.$on('hook:destroyed', () => Date.$PUSH_CALLBACK_CENTER[puuid] > = undefined) > } > } > > > function $pop(v) { > native.pop() > const root = getRootVM(this) > const puuid = root.params.puuid > if (puuid) { > const callback = Date.$PUSH_CALLBACK_CENTER[puuid] > Date.$PUSH_CALLBACK_CENTER[puuid] = undefined > if( typeof callback === 'function') callback(v) > } > } > > it is useful and very convenient。 > A=>B : $push(url, params, (v)=>{ //do callback }) > B=>A: $pop(obj) > Then the callback(from A) will invoke with obj(from B). > *The only premise is the Date is a global object in Js Environment for each > weex instance。* > > 申远 <shenyua...@gmail.com> 于2020年3月2日周一 下午11:33写道: > > > Well, It seems like you could use broadcastChannel [1] to send message > (not > > callback) among pages. If this is not enough, you have to use low level > C++ > > api to implement it by yourself, which is hard to write and not > encouraged. > > > > A message among pages is not enough in your case? I'd like to here the > > detail. > > > > FYI: Apache Weex excludes global JS object for security reasons. A > > malicious hacker could inject a JS snippet containing dangerous function > > just by loading his URL in Weex. If global JS object is supported, it's > > very easy for you to excute the JS function provided by malicious hacker > in > > your page. That's reason we design Sandbox. And I'd encourage every > > developer keeping if for security reason. > > > > [1] https://weex.apache.org/zh/docs/api/broadcast-channel.html > > > > Best Regards, > > YorkShen > > > > 申远 > > > > > > 黄天宁 <zsmj...@gmail.com> 于2020年2月28日周五 上午10:17写道: > > > > > OK, i get it. Thanks! > > > But it is a shame. Both ways are not enough for me. (first is not > > > suitable,second can not save JS callbacks in Native) > > > I want a global object in JS, none of Native business. > > > I use a way like Eventbus for communication between neighbour pages > > > instead. > > > > > > Before Sandbox,I realize an api for *neighbour pages*: > > > > > > pagaA push to pagaB witch a *callback((v)=>{})* and *increased > pushId*, > > > pushId && callback both saved in *global* *Date().$CALLBACKS/* > > > *Date().$PUSHID.* > > > pageB get *pushId* from params. When pageB *pop(v)*, *search callback > by > > > pushId* in global Date().$CALLBACKS.Then inoke *callbakc(v).* > > > > > > It is a very useful api , and the scene is frequent in business > > > for neighbour pages, which need pageA invoke callback after back from > > > pageB with params. > > > > > > By the way,I find a terrible bug in Jsfm in Android。And i try to find > the > > > reason and solve it > > > When the type of *inputValue * is *number,*, which *bind with* > Component > > > <input> *property value*。*Precision problem* will happen to* > > inputValue* . > > > For example, input 2.5 will show 2.50000, if change *inputValue* to > > > *string*, > > > the error disappear. > > > The behaviour in IOS is all right. > > > > > > > > > 申远 <shenyua...@gmail.com> 于2020年2月27日周四 下午5:49写道: > > > > > > > The answer is no, and you should never consider using Weex without > > > sandbox. > > > > > > > > You could however, > > > > 1. use boradcastChannel [1] for communication between pages > > > > 2. or use JS service [2] for vendor.js, which is very similar to > global > > > > object. > > > > > > > > [1] https://weex.apache.org/zh/docs/api/broadcast-channel.html > > > > [2] https://weex.apache.org/zh/docs/api/js-service.html > > > > > > > > Best Regards, > > > > YorkShen > > > > > > > > 申远 > > > > > > > > > > > > 黄天宁 <zsmj...@gmail.com> 于2020年2月25日周二 下午4:16写道: > > > > > > > > > Dear devs: > > > > > I'm sorry to disturb you about a question about SandBox in > both > > > > > aos/ios. > > > > > In some case, developer need a global Object to save/share > > > something > > > > > for different pages with JS callback,which can not save to Native > > > > > SharedPreference. > > > > > *1.In sandBox mode, is there a global Object for mounting?*(It > > > looks > > > > > none, from the doc on website : > > > > > *In particular, the Vue variable are different in each pages, and > > > even > > > > > the "global" config of Vue (Vue.config.xxx) only affect the single > > page > > > > on > > > > > Weex.* > > > > > > > > > > Android SDK can switch to *unuse sandbox mode*, but IOS SDK > > looks > > > > > none. > > > > > *2.IOS is not just like Android,which is without the selection > > > > > of isSandBox.* > > > > > Little understand in C++ sandBox. If you have free time,give > me > > > some > > > > > pointers,plz. > > > > > > > > > > Thanks! > > > > > > > > > > > > > > >