webMathematica™ Wolfram - Wolfram Research

webMathematica User Guide 163If the variable $$expr failed the security test, then MSPToExpression will throw a securityexception and the page will be terminated. You can modify the treatment of page errors asdiscussed in the section on handling errors.Avoid ToExpressionOne of the key functions to avoid is ToExpression, the command that turns a string into aMathematica program. In fact, well-written Mathematica programs rarely need to actually usethis. One case might be when an input has been passed with the web request. But this isexactly what MSPToExpression is for, and ToExpression should not be used.webMathematica still provides a check to prevent users from calling ToExpression on input tothe server. For example, in the following the security test is still applied to the input.val = ToExpression[ $$num]This provides an extra level of security, though it would be better to use MSPToExpression.You can disable this check. This is described in the section on ToExpression Validation.Security ValidationThis section describes how the security validation process works and how it can be customized.The Validation ProcessThe validation process works in a straightforward manner, and you can customize it to givemore or less security. You can investigate its operation in the following steps.First, load the MSP Mathematica application and then lock down the security model, whichcannot be modified after SetSecurity is called. When the server initializes Mathematica, it callsSetSecurity.In[1]:=In[2]:=Needs@"MSP`"DMSP`Utility`SetSecurity@ "SecurityConfiguration.m"D;Now you can test expressions for validity. The first example shows a harmless mathematicalexpression that is found to be secure.In[3]:= MSP`Utility`SecurityFunction@InsecureExprQ@ HoldComplete@ Sin@6DDDDOut[3]= False