[Question] Is evaljs safe?

[nottheswimmer]

If I implement a library to, for instance, pull some javascript off the web and evaluate it -- would I open the door to malicious code accessing things that it couldn't if I were running it in the browser?

[actualdankcoder]

evaluating in general is not safe, unless you know whether any piece of code is safe, don't eval it

[simonw]

That's a shame - I was hoping I could use this to run untrusted code safely in a sandbox, to implement things like a plugin system that users could paste code into without fear of malicious code stealing their data in some way.

Having a time limit option for evaljs would be useful too, as that would avoid infinite loops (accidental or malicious) freezing the Python program.

[amol-]

I guess it depends on your definition of safety. The Javascript interpreter doesn't have access to disk nor to packages or variables you don't explicitly provide.