OK thx, I was less concerned about whether I had caught an infection, vs how I should advise students to interact with Snap next school year. It sounds like to me this is much security ado about very little (which is to say, the appropriate amount of ado)
I'm honored that you read my old articles! :~) And, yeah, that.
The scope of the problem was very different then, though. There was no Internet. (There was the Arpanet, but random high schools weren't on it.) So the good guys and the bad guys were all in the same room, and nobody really wanted to hurt anybody; they just wanted to show off.)
You make a lot of money from advertising if you're Google or Facebook and you provide the infrastructure that allows targeted advertising. If you're a little web site with only a few users, maybe you make enough money to feed your Diet Coke with Splenda habit.
And, kids and parents and teachers trust us because we don't exploit kids to make money. If we were ever going to change that, I'd vote to charge you $5/month or something, rather than run advertising whose content we don't control.
The plan for libraries is that we'll include their essential JS functions in Snap! itself, and have a CALL HIDDEN PRIMITIVE block (probably with a shorter name) that has a dropdown input with a list of those functions plus a variadic input for whatever inputs the primitive needs. So, no, libraries can't run unconstrained JS code either.
We'll have to make sure these functions don't have stupid buffer overrun bugs and that sort of thing, of course, but it's still a finite set of functions to worry about.
Whitelisted hashes of JS body will be a one evening exercise but the whole rewrite may be harder than it looks. Control structures libraries are probably sensitive to booth JS and Snap! execution context.
If I understand correctly, in a project that contains 30 sprites with multiple blocks, I will have to search all the blocks, one by one, to find the blocks that contain javascript, and evaluate the code to see if this code is malicious?
Even the blocks in the libraries contain javascript!
ooh the possibilities! 10% of say or ask blocks present branded content instead -- bh and Jens will be rollin in the scratch! <-- lol unintended pun I swear