68 comments

[ 4.1 ms ] story [ 147 ms ] thread
Sweet. How do you do I make it so not every Joe can hack the sheet?
(comment deleted)
You'd have to parse the cells as some sort of DSL that only allows mathematical tokens, as opposed to eval which allows access to the full arsenal of the JS language. But I think excel is Turing complete
Oh boy. I can't wait to see what someone else can do with 60 lines of JS, and two libraries used!!

[Note: not being sarcastic. Think this is a genuinely awesome way to respond to first post!]

Careful, this code runs eval() on all spreadsheet fields. Someone can "collaboratively" steal your jsfiddle.net cookies.
one could use a function constructor instead of eval to try to mitigate XSS.
The code runs on the fiddle.jshell.net domain.
Yeah that was fun until I got an alert box in my face.
very cool, probably need a few 100 more lines of code to stop XSS but awesome none the less.
It would be nice if people could lay off the script injections. It's clearly insecure, but that's not really the point. It makes the experience worse for everyone if you alert(), etc.
yup. I guess some couldn't resist the urge. I hope there aren't more malicious minds, trying to steal cookies or stuff.
Almost certainly someone is stealing cookies and this should be taken down soon. However, I actually enjoyed this post and was really informative all around.
Fiddles run unsecure code by design, so they do in a separate domain.
> It's clearly insecure, but that's not really the point.

No, that is the point. I even pointed it out hours ago: https://news.ycombinator.com/item?id=6727448

The failure is the lesson. The previous version was a clever hack written by a clever person. This is ignorance, and the lesson is that allowing users to run arbitrary code on other user's computers is bad idea.

I'm pretty sure that OP knew the issue, not just you, so it's not ignorance. And it's not the moment to cite The Good Parts either.

There is no failure here to be seen. There is a clever hack to make a spreadsheet shared quick and dirty.

Just a reminder that all the JS code you run, in particular on jsFiddle, is untrusted and is part of the security model of the JS engine in your browser that evil JS code must not be able to do any harm. If it did, report it to the browser vendor and earn a bounty.

I like the craziness that this devolved into. It's funny when a bunch of people are all editing like mad.

I had the thought that it'd be fun to have a contest using jsfiddle to start from some point, like the excel (lite) clone in 30 lines, and add the best/coolest feature in some limit of lines.

It's really wonderful how ingenuity stacks.

And someone killed it...

EDIT: Nevermind, it's back.

Wow this link took about 30 seconds to turn into porn. Be warned.
I am waiting for someone to reproduce healthcare.gov with 100 lines of code...
that's the spirit ! seriously it would be an awesome idea to create a website with challenges like that. create a substractive synthesizer in js in less than 1k, like old demos

    <h1>Alabama</h1>
    <p>Please call 205-XXX-XXXX for more information.</p>
    <h1>Alaska</h1>
    <p>Please call 907-XXX-XXXX for more information.</p>
    <h1>Arizona</h1>
    <p>Please call 480-XXX-XXXX for more information.</p>
    <h1>Arkansas</h1>
    <p>Please call 479-XXX-XXXX for more information.</p>
    ...
Who needs doctypes, titles, or bodies...
I like that everyone is collaborating to keep N S A in the last columns, that is team work !
Collaborative eval with the world, I'm glad I wasn't logged into jsfiddle when I opened that.
Since jsFiddles run user-generated code by design, I hope that they correctly sandbox and use HTTP-only cookies anyway.
That's a great point. A restricted iframe on a separate domain + httpOnly session cookies just to be safe would do it.
lol, I think I just got hacked from that
did someone just execute remote javascript`?
WARNING: Could there be some kind of script attack ? My Safari browser freezes with 'foo' alert message from this site and it has placed itself as default website so whenever I reopen safari it freezes again.

Let me know if you know how to fix this.

I guess you could start Safari while offline to prevent the page from loading and change back your default page to something sane?
How can JS make some page your default? Strange
It's probably just restoring your previous session. Hold down Shift when starting Safari to avoid loading the old session data.
I think I crashed it (ie: Chrome hard lockup on the tab) with this:

=location.href='google.com'

That will just throw a frame error because of the X-Frame-Options header, which is caught quickly.

Browsers tend to have more problem with =while(1){}

I would love to read about who/how is blocking XSS and censoring!
I'm trying to remove the location.href thing outta there! Annoying!
someone just broke everything hahaha
Nice. I look forward to the full office suite in 60 lines of JS, the email client/server in 75 lines of JS, and of course the bitcoin exchange web app in 90 lines of JS.
that would be a very2 long lines
I think you can pull off Bitcoin in 89 lines.
I can build a JS interpreter in 1 line of JS.
I think the title should warn users of the various remote injection vulnerabilities present in the script. It took about 5 seconds for the page to change to xhamster
Which would have been extremely embarrassing for someone at work. Luckily, that didn't happen to me.
Now I really love the feature of Chrome, "Prevent this window from creating new dialog box" ( or something like that ). Some *$%#@ put alert in the cell.
Ooups, someone has having success with XSS :/