Disable JavaScript execution in QML



  • Is it possible to disable all of the script execution inside the QML?
    It may be need to secure GUI plugins which vendor may allow to create for end users with the QML help. But this opportunity will be annihilated if there is no method to forbid execution of random code in QML.



  • QML without javascript is like a painting without colors; its going to not be very interesting for most usecases.

    Moving code to the client either in javascript or in compiled C++ form should be similarly attacked; you need your security before a 3rd party's code lands on your target device.

    Disabling javascript is not going to give you the security you want.



  • Perhaps we have some GUI element which we draw with QML help. Suppose it has edit fields for private user data. If there is no JavaScript QML is still useful because every user can write its own QML and have some pretty GUI element. But if JavaScript is turned on then some malicious man can integrate information stealing and many other disastrous things. It can even have privilege elevation at the worst case!
    No one can do the same thing with already built C++ code with an acceptable cost.


Log in to reply
 

Looks like your connection to Qt Forum was lost, please wait while we try to reconnect.