Closed rluvaton closed 1 year ago
Yes, normally, I'd agree that a project should go with safe-by-default, but as this project has been long around, derived from jsonpath which also had the same issue, I think we would be taking away too much functionality from users accustomed to the project if we are not providing at least a subset of filtering expressions without eval. Until such time as we can have a safe sandbox on by default, one can opt into preventEval
.
Hey @rluvaton , not sure if relevant now but JSONPath-Plus is now safe by default. And the expression you entered fails with error
index-browser-umd.cjs:1694 Uncaught Error: Unexpected "{" at character 16
Currently the JavaScript evaluation is enabled by default which is a bad practice, I know this project is not maintained anymore but given the case I would like to know if you would merge a PR that disable the evaluation by default
JavaScript evaluation is very dangerous if coming from user input (even if it's running in a sandbox) for example, the following path will cause Heap out of Memory error: