
A collaborative spreadsheet in less than 45 lines of JS, one library used - kav-ya
http://jsfiddle.net/sy85U/
======
mayop100
It would be nice if people could lay off the script injections. It's clearly
insecure, but that's not really the point. It makes the experience worse for
everyone if you alert(), etc.

~~~
jcampbell1
> It's clearly insecure, but that's not really the point.

No, that is the point. I even pointed it out hours ago:
[https://news.ycombinator.com/item?id=6727448](https://news.ycombinator.com/item?id=6727448)

The failure is the lesson. The previous version was a clever hack written by a
clever person. This is ignorance, and the lesson is that allowing users to run
arbitrary code on other user's computers is bad idea.

~~~
FiloSottile
I'm pretty sure that OP knew the issue, not just you, so it's not ignorance.
And it's not the moment to cite The Good Parts either.

There is no failure here to be seen. There is a clever hack to make a
spreadsheet shared quick and dirty.

Just a reminder that all the JS code you run, in particular on jsFiddle, is
untrusted and is part of the security model of the JS engine in your browser
that evil JS code must not be able to do any harm. If it did, report it to the
browser vendor and earn a bounty.

------
ehPReth
If the spreadsheet doesn't load you can watch the chaos unfold in real time by
visiting the datastore's page directly: [https://spreadsheet.firebaseio-
demo.com/sy85U](https://spreadsheet.firebaseio-demo.com/sy85U)

------
wikwocket
Nice. I look forward to the full office suite in 60 lines of JS, the email
client/server in 75 lines of JS, and of course the bitcoin exchange web app in
90 lines of JS.

~~~
asiekierka
Did you forget an operating system in 150 lines of JS? (Four libraries used)

~~~
thatthatis
Not sure how many lines of js it uses, but here you go:

[http://bellard.org/jslinux/](http://bellard.org/jslinux/)

[http://bellard.org/jslinux/tech.html](http://bellard.org/jslinux/tech.html)

------
projectramo
I am waiting for someone to reproduce healthcare.gov with 100 lines of code...

~~~
camus2
that's the spirit ! seriously it would be an awesome idea to create a website
with challenges like that. create a substractive synthesizer in js in less
than 1k, like old demos

~~~
sbirch
[http://js1k.com/](http://js1k.com/)

------
fareesh
I think the title should warn users of the various remote injection
vulnerabilities present in the script. It took about 5 seconds for the page to
change to xhamster

~~~
imdsm
Which would have been extremely embarrassing for someone at work. Luckily,
that didn't happen to me.

------
Goddel2
Wow this link took about 30 seconds to turn into porn. Be warned.

------
mothertrouble
WARNING: Could there be some kind of script attack ? My Safari browser freezes
with 'foo' alert message from this site and it has placed itself as default
website so whenever I reopen safari it freezes again.

Let me know if you know how to fix this.

~~~
elisee
I guess you could start Safari while offline to prevent the page from loading
and change back your default page to something sane?

------
leokun
Collaborative eval with the world, I'm glad I wasn't logged into jsfiddle when
I opened that.

~~~
FiloSottile
Since jsFiddles run user-generated code by design, I hope that they correctly
sandbox and use HTTP-only cookies anyway.

~~~
leokun
That's a great point. A restricted iframe on a separate domain + httpOnly
session cookies just to be safe would do it.

~~~
mintplant
That's what they do already.

------
rjuyal
Now I really love the feature of Chrome, "Prevent this window from creating
new dialog box" ( or something like that ). Some *$%#@ put alert in the cell.

------
Breefield
Careful, this code runs eval() on all spreadsheet fields. Someone can
"collaboratively" steal your jsfiddle.net cookies.

~~~
mintplant
The code runs on the fiddle.jshell.net domain.

~~~
Breefield
that's good :) did not realize

------
RokStdy
I like the craziness that this devolved into. It's funny when a bunch of
people are all editing like mad.

I had the thought that it'd be fun to have a contest using jsfiddle to start
from some point, like the excel (lite) clone in 30 lines, and add the
best/coolest feature in some limit of lines.

It's really wonderful how ingenuity stacks.

~~~
krapp
Such hax.

I wonder if a collaborative drawing app could be made with this, using
canvas.. I keep trying to figure out exactly how it works but then
sparkleponies and alerts everywhere...

~~~
ianbicking
Not Firebase, but you might enjoy:
[https://hacks.mozilla.org/2013/10/introducing-
togetherjs/](https://hacks.mozilla.org/2013/10/introducing-togetherjs/)

------
mmastrac
I think I crashed it (ie: Chrome hard lockup on the tab) with this:

=location.href='google.com'

~~~
jcampbell1
That will just throw a frame error because of the X-Frame-Options header,
which is caught quickly.

Browsers tend to have more problem with =while(1){}

------
iancarroll
Somebody has created a bot to put script lyrics in the spreadsheet ._.

~~~
golergka
Is it a bot or injection that maintains itself?

------
justinwi
Sweet. How do you do I make it so not every Joe can hack the sheet?

~~~
joshribakoff
You'd have to parse the cells as some sort of DSL that only allows
mathematical tokens, as opposed to eval which allows access to the full
arsenal of the JS language. But I think excel is Turing complete

~~~
wwweston
Brings up the interesting question -- I wonder what turing-complete DSLs have
drop-in JS libraries you could use to replace the call to "eval" here.

~~~
icebraining
[http://nayuki.eigenstate.org/res/brainfuck-interpreter-
javas...](http://nayuki.eigenstate.org/res/brainfuck-interpreter-
javascript.js)

------
gmjoe
Oh boy. I can't wait to see what someone else can do with 60 lines of JS, and
two libraries used!!

[Note: not being sarcastic. Think this is a genuinely awesome way to respond
to first post!]

------
FiloSottile
I would love to read about who/how is blocking XSS and censoring!

~~~
mintplant
Oh, that's me: [http://jsfiddle.net/sy85U/31/](http://jsfiddle.net/sy85U/31/)

Just a very quick, crude little hack.

~~~
FiloSottile
You know what would be cool? Injecting this modified version to all clients,
so that everybody act as a censor.

------
rnl
[http://images.retecool.com/uploads/reet-
And_its_gone_origina...](http://images.retecool.com/uploads/reet-
And_its_gone_original.jpg)

------
10098
I think we broke it, the fiddle no longer works for me

~~~
kav-ya
Try clearing your local storage:
[http://stackoverflow.com/questions/7667958/clear-
localstorag...](http://stackoverflow.com/questions/7667958/clear-localstorage)

------
mariocesar
I like that everyone is collaborating to keep N S A in the last columns, that
is team work !

------
srobertson
very cool, probably need a few 100 more lines of code to stop XSS but awesome
none the less.

------
njsubedi
I'm trying to remove the location.href thing outta there! Annoying!

------
cm-t
Ooups, someone has having success with XSS :/

------
Demiurge
lol, I think I just got hacked from that

------
EGreg
Why not just use TogetherJS securely?

------
Eduard
did someone just execute remote javascript`?

------
newbrict
someone just broke everything hahaha

------
maemilius
And someone killed it...

EDIT: Nevermind, it's back.

------
vj44
Dope.

------
hkon
wow it's alive

