Hacker News new | past | comments | ask | show | jobs | submit login
A collaborative spreadsheet in less than 45 lines of JS, one library used (jsfiddle.net)
199 points by kav-ya on Nov 14, 2013 | hide | past | favorite | 67 comments

It would be nice if people could lay off the script injections. It's clearly insecure, but that's not really the point. It makes the experience worse for everyone if you alert(), etc.

> It's clearly insecure, but that's not really the point.

No, that is the point. I even pointed it out hours ago: https://news.ycombinator.com/item?id=6727448

The failure is the lesson. The previous version was a clever hack written by a clever person. This is ignorance, and the lesson is that allowing users to run arbitrary code on other user's computers is bad idea.

I'm pretty sure that OP knew the issue, not just you, so it's not ignorance. And it's not the moment to cite The Good Parts either.

There is no failure here to be seen. There is a clever hack to make a spreadsheet shared quick and dirty.

Just a reminder that all the JS code you run, in particular on jsFiddle, is untrusted and is part of the security model of the JS engine in your browser that evil JS code must not be able to do any harm. If it did, report it to the browser vendor and earn a bounty.

yup. I guess some couldn't resist the urge. I hope there aren't more malicious minds, trying to steal cookies or stuff.

Almost certainly someone is stealing cookies and this should be taken down soon. However, I actually enjoyed this post and was really informative all around.

Fiddles run unsecure code by design, so they do in a separate domain.

If the spreadsheet doesn't load you can watch the chaos unfold in real time by visiting the datastore's page directly: https://spreadsheet.firebaseio-demo.com/sy85U

Nice. I look forward to the full office suite in 60 lines of JS, the email client/server in 75 lines of JS, and of course the bitcoin exchange web app in 90 lines of JS.

Did you forget an operating system in 150 lines of JS? (Four libraries used)

Not sure how many lines of js it uses, but here you go:



I can build a JS interpreter in 1 line of JS.

I think you can pull off Bitcoin in 89 lines.

that would be a very2 long lines

I am waiting for someone to reproduce healthcare.gov with 100 lines of code...

    <p>Please call 205-XXX-XXXX for more information.</p>
    <p>Please call 907-XXX-XXXX for more information.</p>
    <p>Please call 480-XXX-XXXX for more information.</p>
    <p>Please call 479-XXX-XXXX for more information.</p>
Who needs doctypes, titles, or bodies...

that's the spirit ! seriously it would be an awesome idea to create a website with challenges like that. create a substractive synthesizer in js in less than 1k, like old demos

I think the title should warn users of the various remote injection vulnerabilities present in the script. It took about 5 seconds for the page to change to xhamster

Which would have been extremely embarrassing for someone at work. Luckily, that didn't happen to me.

Wow this link took about 30 seconds to turn into porn. Be warned.

WARNING: Could there be some kind of script attack ? My Safari browser freezes with 'foo' alert message from this site and it has placed itself as default website so whenever I reopen safari it freezes again.

Let me know if you know how to fix this.

I guess you could start Safari while offline to prevent the page from loading and change back your default page to something sane?

It's probably just restoring your previous session. Hold down Shift when starting Safari to avoid loading the old session data.

How can JS make some page your default? Strange

Collaborative eval with the world, I'm glad I wasn't logged into jsfiddle when I opened that.

Since jsFiddles run user-generated code by design, I hope that they correctly sandbox and use HTTP-only cookies anyway.

That's a great point. A restricted iframe on a separate domain + httpOnly session cookies just to be safe would do it.

That's what they do already.

Now I really love the feature of Chrome, "Prevent this window from creating new dialog box" ( or something like that ). Some *$%#@ put alert in the cell.

Careful, this code runs eval() on all spreadsheet fields. Someone can "collaboratively" steal your jsfiddle.net cookies.

The code runs on the fiddle.jshell.net domain.

that's good :) did not realize

one could use a function constructor instead of eval to try to mitigate XSS.

Yeah that was fun until I got an alert box in my face.

I like the craziness that this devolved into. It's funny when a bunch of people are all editing like mad.

I had the thought that it'd be fun to have a contest using jsfiddle to start from some point, like the excel (lite) clone in 30 lines, and add the best/coolest feature in some limit of lines.

It's really wonderful how ingenuity stacks.

Such hax.

I wonder if a collaborative drawing app could be made with this, using canvas.. I keep trying to figure out exactly how it works but then sparkleponies and alerts everywhere...

I think I crashed it (ie: Chrome hard lockup on the tab) with this:


That will just throw a frame error because of the X-Frame-Options header, which is caught quickly.

Browsers tend to have more problem with =while(1){}

Somebody has created a bot to put script lyrics in the spreadsheet ._.

Is it a bot or injection that maintains itself?

Sweet. How do you do I make it so not every Joe can hack the sheet?

You'd have to parse the cells as some sort of DSL that only allows mathematical tokens, as opposed to eval which allows access to the full arsenal of the JS language. But I think excel is Turing complete

Brings up the interesting question -- I wonder what turing-complete DSLs have drop-in JS libraries you could use to replace the call to "eval" here.

Oh boy. I can't wait to see what someone else can do with 60 lines of JS, and two libraries used!!

[Note: not being sarcastic. Think this is a genuinely awesome way to respond to first post!]

I would love to read about who/how is blocking XSS and censoring!

Oh, that's me: http://jsfiddle.net/sy85U/31/

Just a very quick, crude little hack.

You know what would be cool? Injecting this modified version to all clients, so that everybody act as a censor.

added an array for blocked words; http://jsfiddle.net/sy85U/47/

yeah blocking . (a dot, decimal numbers should be allowed) is a bit too restrictive although it works really well.

I think we broke it, the fiddle no longer works for me

I like that everyone is collaborating to keep N S A in the last columns, that is team work !

very cool, probably need a few 100 more lines of code to stop XSS but awesome none the less.

I'm trying to remove the location.href thing outta there! Annoying!

Ooups, someone has having success with XSS :/

lol, I think I just got hacked from that

Why not just use TogetherJS securely?

did someone just execute remote javascript`?

someone just broke everything hahaha

And someone killed it...

EDIT: Nevermind, it's back.


wow it's alive

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact