Is it possible to "sandbox" arbitrary JavaScript to only operate on one <div> and not the whole document?

Question

Hello,

what I am trying to do is to force some arbitrary JavaScript code to execute "inside" a DOM element, e.g. <div>. In other words, is it possible to make a piece of code "thinking" that <div> is the root of document hierarchy (or <body> of a document)?

Real life example:

Let's say we have a page that allows executing JavaScript code:

<!DOCTYPE html>
<html>
<head>
  <title>Executor</title>
  <script type="text/javascript" src="jquery.js"></script>
</head>
<body>
  <div></div>
  <input/>
  <button onclick="$('div').html(eval($('input').val()))">
    Execute
  </button>
</body>
</html>

The code has access to entire document and can modify it, e.g:

$("input").hide()

Will prevent me from writing any stupid code any more ;-)

Is is possible to restrict the area of effect for some piece of JavaScript code? and how to do it if it is possible?

Best regards.

Edit:

The code I want to execute might be everything. If Your solution is based on some kind of modification of the given code, please describe how to do it the right way.

Edit2:

First of all, I do not know why I get a down-vote.

Secondly, the code I will execute is someone else's arbitrary code, not mine.

To make everything clear:

What I am really trying to do is to simulate a browser somehow. Get the content of some web page, and insert in into mine. This is relatively easy when we decided to turn off JavaScript and cut out all places where it might appear, but this is something I cannot do. For now I want to limit only the DOM modification (the malicious code). I will work on redirects and cookies later, when I have a base idea.

Answer 1

This is from jQuery selectors documentation. Is that helpful?

<!DOCTYPE html>
    <html>
    <head>
      <script src="http://code.jquery.com/jquery-latest.min.js"&gt;&lt;/script&gt;
    </head>
    <body>
        <input name="man-news" />

      <input name="milkman" />
      <input name="letterman2" />
      <input name="newmilk" />
    <script>$("input[name*='man']").val("has man in it!");</script>
    </body>
    </html>

Answer 2

By default, jQuery is based on the document element, but you can pass a second parameter that tells jQuery where to "start", which essentially limits the execution to that element...

var divToRestrictTo = $("#myDiv");
$("input", divToRestrictTo); // will only look within the DIV

Answer 3

The best way to achieve complete isolation and encapsulation of a chunk of code is to put it into an iframe, and put it on a subdomain of your site so that the domain name of the outer HTML page is not identical to the inner HTML page. Inside the iframe, the JavaScript will see only the DOM of the iframe URL and will have no access to the outer DOM. This isolation is enforced by the browser security model.

The plus side to this technique is that you can have high confidence that the script running inside the iframe will not leak out and steal data from your outer page. This isolation is also the downside - it's harder to share data between the outer page and inner page. To provide controlled access or sharing of data between the iframe and the outer page, there are a variety of cross-domain data sharing techniques you could investigate. If you only need to throw arguments "at" the iframe inner page, you could pass the data on the URL as query params. If you need two-way data exchange, you could use domain-lowering techniques to bring the domain names in line briefly so that the browser will allow data exchange between the outer and inner pages.

Since you are proposing to eval() arbitrary code entered in an input control, you definitely should shield your main page logic from potential hackery. Use an iframe.