scriptbox

scriptbox
 



# Script Sandbox for PHP

## Overview

This is a script interpreter for PHP. Custom code is parsed and interpreted in a sandbox.

The code syntax is similar to [Javascript](https://developer.mozilla.org/en-US/docs/Web/JavaScript). More precisely, it is a subset of Javascript.

## History 

It was written for the [OpenRat CMS](http://www.openrat.de) and is maintained there.


## Details

Scriptbox is an in-memory script interpreter written in PHP. The scripts are interpreted directly in the syntax tree and are **not** transpiled to PHP code.

A script is running in its sandbox, but it may call functions in your PHP code if you provide appropriate classes (see below).

It consists of a lexer, a syntax parser and an interpreter.

The scripts may be used as a [domain specific language (DSL)](https://en.wikipedia.org/wiki/Domain-specific_language) in your PHP application.


## Usage

There is the `dsl\executor\DslInterpreter` class to run your code:

    $interpreter = new DslInterpreter();
    $interpreter->runCode( $code );

### get output

For getting the standard output, simply call `getOutput()`:

    $interpreter = new DslInterpreter();
    $interpreter->runCode( $code );
    $output = $interpreter->getOutput() ); // get the output

### add context

you may add custom objects to the calling context

    $interpreter = new DslInterpreter();
    $interpreter->addContext( [ 'mycontext'=> new MyContextObject() ]  );
    $interpreter->runCode( $code );

Your class `MyContextObject` must implement `dsl\context\DslObject`,then your code may contain

    mycontext.method();

### get return value

    $interpreter = new DslInterpreter();
    $returnValue = $interpreter->runCode( $code );

## Syntax

The language syntax is a subset of javascript.

## Features

### comments

single line comments like

    // this is a comment

and multiline commens like

    /**
     * this is a comment
     */

are supported


### text

    write( "this is a 'string'" );  // writes to standard out
    write( 'this is a "string"' );  // writes to standard out 
    

### variables

variables and string concatenation:

    age = 18;
    write("my age is " + age );

variables *may* be initialized with `let`,`var` or `const` but this is optional:

    let age = 18; // "let" is optional and completely ignored
    write("my age is " + age );

every variable is "block scoped".


### function scope

variables are valid for the current block.

    age = 18;

    function add() {
        age = age + 1;
        write( "next year, you are " + age ); // 19
    }
    add();

    write( "but this year you are " + age ); // 18


### function calls

Example

    write( "powered by " + name() );

    function name() {
        return "script sandbox";
    {


### if / else

    age = 17;
    if   ( age < 18 )
        write( "you are under 18" );
    else {
        write( "you are already 18" );
        write( "you are allowed to enter" );
    }

### full arithmetic calculations
   
    write( 1 + 2 * 3 ); // this resolves to 7 because of the operator priority

### arrays and for loops

    animals = Array.of('lion', 'ape', 'fish');

    for( animal of animals )
        write( animal + " is an animal." );


### object properties

    write( "PI is " + Math.PI );

### throw

    throw "this is an error";

The message is thrown as a DslRuntimeException and is able to be catched from the calling PHP code.

Hint: try/catch blocks in scripts are not supported.

## Template script

Remember Smarty and Twig? Yes, but both have their strange syntax. Check out this template parser with a JSP-like syntax:

    
    
    <% age = 12; %>
    Next year your age is <%= (age+1) %>



### Usage

    // Parse the template, this will create a plain script
    $templateParser = new DslTemplate();
    $templateParser->parseTemplate($src);

    // That's all. Lets start the interpreter
    $executor = new DslInterpreter();
    $executor->runCode($templateParser->script);
    echo( $executor->getOutput() ); // get the output


## Unsupported

- There is NO support for creating classes or objects.
- Due to the request-based operation of the PHP interpreter there is no possibility for asynchronous methods like `async` or `await`.
- No try/catch
- No `window`, `document` or `navigator` objects

## FAQ

_Does it generate PHP code?_

No. The Interpreter works in memory. There is no way to create PHP code, even if it would be possible to implement.

_Is it slow?_

Yes, maybe, because there is no cache and no compilation to native PHP code. But this scriptbox targets content management systems which have their own caching.

_Is it safe?_

Yes, because the code is sandboxed. No PHP functions are available for the script. The default objects (Math, Number, Array) are safe. But please be careful if you are exposing your internal PHP functions oder objects into the context.

_Why did you do this?_

Because it was possible ;) And I needed a sandboxed DSL (domain specific language) for my CMS.Last Commit:Tue, 19 Jul 2022 00:10:39 +0200 Jan Dankert	Fetched from upstream.

11 Commits
0 Tags
1 Branches
43 Files


Download