Eli Grey

JSandbox 0.2

4 comments

I have recently released JSandbox version 0.2. JSandbox is a JavaScript sandboxing library. Version 0.2 is, for the most part, a complete re-write. It introduces many new features, such as load (for loading external scripts) and exec (faster than eval but no return value). There is now an additional fixed-position arguments API along with the version 0.1 API.

Tagged:
  • http://twitter.com/koistya Koistya `Navin

    Are there any issues with JSandbox? I mean how safe is to execute user uploaded JS scripts this way?

    • http://eligrey.com/ Eli Grey

      To the extent of my knowledge, JSandbox is completely safe. I’ve done much penetration testing and have been unable to uncover any not already-patched attack vectors. Please note that I will eventually (not anytime soon) be rewriting JSandbox into an easier to use (for both the client website and user-submitted code) Java Runnable-like API.

      • http://twitter.com/koistya Koistya `Navin

        Cool. Do you think it is possible to use current version for a scenario when website provides some points of extensibility and website users can extend website functionality with their code by uploading it to the website, similar to how MEF works in .NET world ( http://mef.codeplex.com/ )?

      • http://eligrey.com/ Eli Grey

        It depends on what kind of website extensibility you want. If you want to let scripts commit DOM modifications, you’re going to have to build a secure API on top JSandbox where the sandboxed script continuously (you’ll need to keep polling it, something you wouldn’t have to do in the planned rewrite where you can listen for messages) gives a list of DOM mutations for your API to approve or deny.