Closed nottheswimmer closed 2 years ago
evaluating in general is not safe, unless you know whether any piece of code is safe, don't eval it
That's a shame - I was hoping I could use this to run untrusted code safely in a sandbox, to implement things like a plugin system that users could paste code into without fear of malicious code stealing their data in some way.
Having a time limit option for evaljs would be useful too, as that would avoid infinite loops (accidental or malicious) freezing the Python program.
I guess it depends on your definition of safety. The Javascript interpreter doesn't have access to disk nor to packages or variables you don't explicitly provide.
If I implement a library to, for instance, pull some javascript off the web and evaluate it -- would I open the door to malicious code accessing things that it couldn't if I were running it in the browser?