Is QML safe ?

Pylvain

Is qml safe, in the way Lua is ? That is, if i download the most random qml script on the web and execute it, can it do any harm ? I'm running it with the default context of course.

fcarney

@Pylvain Lua is only safe if you make it safe in what you expose (when embedded). QML/Javascript is a generic programming language and will have more power. QML/Javascript can do a lot of unsafe things if they are exposed by the programmer. It probably can do a lot of unsafe things even if you don't expose things. If you want to have users execute scripts Lua would be a better choice.

Pylvain

@fcarney
You did'nt read my question until the end. I meant : in the default context. Lua is safe by default. If you expose a C function delete_my_harddrive(), then of course it's not safe.
The same goes with qml. I'm just asking if Qml, as is, that is without exposing any C++ function to it, is safe by default.

fcarney

@Pylvain said in Is QML safe ?:

I'm running it with the default context of course

I cannot assume your level of knowledge from this as "context" could mean anything. Also, the casual observer may not understand what "context" means. I certainly did not. I answered a basic question about QML in the terms of what I understand of Lua.

QML has no safety for running random code. It is designed to only run code by the developer of the app. So, in those terms Lua is still the better choice.

I found this by googling "qml unsafe functions":
https://doc.qt.io/archives/qt-4.8/qdeclarativesecurity.html

Pylvain

@fcarney
Thank you for the link, very instructive and clear. Yeah Lua is a better choice, but it's way less powerful. I will try to see what i can do with sandboxes.

fcarney

@Pylvain You could get your own copy of a javascript engine (even one newer than qml bundles) and use that exclusively for client code. I know you can get the source for v8 (and maybe something newer).

Pylvain

@fcarney
Yeah that's a great idea ! Sandboxing doesn't seem to be a thing...