Viability as an Expression/Predicate Interpreter?

NeilFraser / JS-Interpreter

A sandboxed JavaScript interpreter in JavaScript.

Apache License 2.0

2.01k stars 353 forks source link

Viability as an Expression/Predicate Interpreter? #250

Closed pha3z closed 1 year ago

pha3z commented 1 year ago

I was looking for a tool that I could use safely in business logic to evaluate expressions & predicates with no risk of code execution that can interact with the browser.

I notice the documentation says JS-Interpret can't interact with the DOM, but I notice the live demo page executes an "alert()"!

I'm curious to know why "alert()" is allowed... and really why anything like it would be allowed? And is there a place in source code to see audit all of the functions that interact with the browser itself?

I would want to rip out everything that doesn't constitute simple expressional logic with boolean, numeric, or string results.

NeilFraser commented 1 year ago

JS-Interpreter has no native ability to affect the DOM, the browser environment, or the system. That includes alert. However, the demos of JS-Interpreter specifically add an interface to call alert as part of their configuration.

You can see that here where an Interpreter is created, but with alert added:

https://github.com/NeilFraser/JS-Interpreter/blob/master/index.html#L29

      myInterpreter = new Interpreter(code, initAlert);