Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Get Qt Extensions
  • Unsolved
Collapse
Brand Logo
  1. Home
  2. Qt Development
  3. QML and Qt Quick
  4. Is QML safe ?
Forum Updated to NodeBB v4.3 + New Features

Is QML safe ?

Scheduled Pinned Locked Moved Solved QML and Qt Quick
7 Posts 2 Posters 749 Views 2 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • P Offline
    P Offline
    Pylvain
    wrote on last edited by Pylvain
    #1

    Is qml safe, in the way Lua is ? That is, if i download the most random qml script on the web and execute it, can it do any harm ? I'm running it with the default context of course.

    fcarneyF 1 Reply Last reply
    0
    • P Pylvain

      Is qml safe, in the way Lua is ? That is, if i download the most random qml script on the web and execute it, can it do any harm ? I'm running it with the default context of course.

      fcarneyF Offline
      fcarneyF Offline
      fcarney
      wrote on last edited by
      #2

      @Pylvain Lua is only safe if you make it safe in what you expose (when embedded). QML/Javascript is a generic programming language and will have more power. QML/Javascript can do a lot of unsafe things if they are exposed by the programmer. It probably can do a lot of unsafe things even if you don't expose things. If you want to have users execute scripts Lua would be a better choice.

      C++ is a perfectly valid school of magic.

      P 1 Reply Last reply
      1
      • fcarneyF fcarney

        @Pylvain Lua is only safe if you make it safe in what you expose (when embedded). QML/Javascript is a generic programming language and will have more power. QML/Javascript can do a lot of unsafe things if they are exposed by the programmer. It probably can do a lot of unsafe things even if you don't expose things. If you want to have users execute scripts Lua would be a better choice.

        P Offline
        P Offline
        Pylvain
        wrote on last edited by
        #3

        @fcarney
        You did'nt read my question until the end. I meant : in the default context. Lua is safe by default. If you expose a C function delete_my_harddrive(), then of course it's not safe.
        The same goes with qml. I'm just asking if Qml, as is, that is without exposing any C++ function to it, is safe by default.

        1 Reply Last reply
        0
        • fcarneyF Offline
          fcarneyF Offline
          fcarney
          wrote on last edited by
          #4

          @Pylvain said in Is QML safe ?:

          I'm running it with the default context of course

          I cannot assume your level of knowledge from this as "context" could mean anything. Also, the casual observer may not understand what "context" means. I certainly did not. I answered a basic question about QML in the terms of what I understand of Lua.

          QML has no safety for running random code. It is designed to only run code by the developer of the app. So, in those terms Lua is still the better choice.

          I found this by googling "qml unsafe functions":
          https://doc.qt.io/archives/qt-4.8/qdeclarativesecurity.html

          C++ is a perfectly valid school of magic.

          P 1 Reply Last reply
          2
          • fcarneyF fcarney

            @Pylvain said in Is QML safe ?:

            I'm running it with the default context of course

            I cannot assume your level of knowledge from this as "context" could mean anything. Also, the casual observer may not understand what "context" means. I certainly did not. I answered a basic question about QML in the terms of what I understand of Lua.

            QML has no safety for running random code. It is designed to only run code by the developer of the app. So, in those terms Lua is still the better choice.

            I found this by googling "qml unsafe functions":
            https://doc.qt.io/archives/qt-4.8/qdeclarativesecurity.html

            P Offline
            P Offline
            Pylvain
            wrote on last edited by
            #5

            @fcarney
            Thank you for the link, very instructive and clear. Yeah Lua is a better choice, but it's way less powerful. I will try to see what i can do with sandboxes.

            fcarneyF 1 Reply Last reply
            0
            • P Pylvain

              @fcarney
              Thank you for the link, very instructive and clear. Yeah Lua is a better choice, but it's way less powerful. I will try to see what i can do with sandboxes.

              fcarneyF Offline
              fcarneyF Offline
              fcarney
              wrote on last edited by
              #6

              @Pylvain You could get your own copy of a javascript engine (even one newer than qml bundles) and use that exclusively for client code. I know you can get the source for v8 (and maybe something newer).

              C++ is a perfectly valid school of magic.

              P 1 Reply Last reply
              0
              • fcarneyF fcarney

                @Pylvain You could get your own copy of a javascript engine (even one newer than qml bundles) and use that exclusively for client code. I know you can get the source for v8 (and maybe something newer).

                P Offline
                P Offline
                Pylvain
                wrote on last edited by
                #7

                @fcarney
                Yeah that's a great idea ! Sandboxing doesn't seem to be a thing...

                1 Reply Last reply
                0

                • Login

                • Login or register to search.
                • First post
                  Last post
                0
                • Categories
                • Recent
                • Tags
                • Popular
                • Users
                • Groups
                • Search
                • Get Qt Extensions
                • Unsolved