fieryprophet
commented
5 years ago The sandbox by default operates within a whitelist format, e.g. it will disallow almost everything unless you explicitly allow for it. I would utilize the whitelisting feature to only enable the functionality you need rather than trying to find a perfect blacklist configuration. By default, access to all superglobals is already disabled.
I plan to use this library to run user's input code in isolated environment with most functions blacklisted by default. (On some relatively safe string and array manipulation). I wonder if there is any security that I should consider? I can imagine that all the SERVER, SESSION variables should be blacklisted or overriden as well?