SandboxJS icon indicating copy to clipboard operation
SandboxJS copied to clipboard
verified publisher icon nyariv

`eval` not in SAFE_GLOBALS

Open matthewjh opened this issue 1 year ago • 2 comments

Hi, nice library!

I had to use Function instead of eval, as the evaluator would throw eval is not defined. Indeed, eval is missing from the SAFE_GLOBALS list: https://github.com/nyariv/SandboxJS/blob/f3168a8e90ad7a48babdf44322b31af90aeac1d1/build/SandboxExec.js#L41.

This is odd as the Readme file states eval is a "safe global" by default.

matthewjh avatar May 02 '24 15:05 matthewjh

It says the opposite. This library offers a safe alternative to eval. If you start using the native eval, you don't need this library.

SimoTod avatar May 02 '24 17:05 SimoTod

I think you're missing my point. "eval" is listed as a global which is safely made available within the sandbox, along with Function ctor etc.. I'm talking about the symbols made available within the sandbox to the sandboxed code, which is what the list refers to, right?

I want to be able to safely execute code in the sandbox that itself uses eval. Function instead of eval works fine, so this appears to be a bug or oversight.

https://github.com/nyariv/SandboxJS?tab=readme-ov-file#safe-globals

Safe Globals

Function eval console isFinite isNaN parseFloat parseInt decodeURI decodeURIComponent encodeURI encodeURIComponent escape

matthewjh avatar May 02 '24 17:05 matthewjh