This a test page for is intended to safely execute untrusted scripts, and allow the scripts to access only a certain sub-tree of the DOM. Eventually, this can be used to safely load ads and untrusted widgets. All attempts to subvert the security of this system are greatly appreciated. If you find any holes, any ways that you can access the DOM or the JavaScript environment outside of the sandbox, please add a comment to the enhancement ticket. To test secure load, simply enter JavaScript in the text box below and click execute. The JavaScript should only have access to the DOM within the floating div below. The sandbox element is available as the element variable from within the sandboxed JavaScript. Please see below for more detailed instructions on what facilities are available within the sandbox.

Sandboxed div:

Note that these require a proxy file in order to load:

The JavaScript in the sandbox generally follows the rules of ADsafe:

The following global variables are accessible:

The following standard JavaScript/DOM functions/constructors and (their child functions when applicable) may be called. They may only be used in call position, they may not be accessed in any other way. They generally behave as the standard JavaScript function, unless otherwise noted:

The following special functions are available to compensate for the JavaScript syntax limitations imposed by the sandbox: The following functions for DOM manipulation and extra language features are provided by the Dojo library. This represents a safe subset of Dojo. All Dojo library functions are provided as top level functions, namespacing is unnecessary because scripts do have access to modify the global object, and can't define global variables. Thus, you can call Dojo functions directly, for example you can call mixin(obj,mixinObj). You may also use the traditional syntax (dojox.mixin(...)). Here are a list of available functions: