Missed the group reply. Hi Kevin,
Specifically if you know you're in a ES5-strict mode compliant js engine, like a modern V8 to use this, load caja.js and initialize caja as follows: caja.initialize({ forceES5Mode: true }); caja.load(undefined /* if you don't need a dom */, caja.policy.net.ALL /* your url policy */, function (frame) { frame.code('a base url', 'text/javascript', '...your js code') .run(); }); To expose more apis to this isolated code, please see https://developers.google.com/caja/ jas On Wednesday, July 11, 2012 9:52:05 AM UTC-7, Kevin O wrote: > > We are working on an app where we want to give users the ability to upload > JS scripts to process their data in our app. > > Insane, right? :) Well we are going to do it in a sane way or not do it > at all. We understand the risks. > > I want to take raw JS input from the user, generate an AST, > cleanse/evaluate/mangle it, then "re-compile" to minified JS *only* when > we know is safe. If the script is doing unsafe things, we'll return > compiler errors. Our compiler needs to be able to limit the JS globals to a > short "whitelist". i.e. stuff like eval() is not available within the > script. > > Scripts will be run in our node app using vm.runInNewContext(). We will > pass in a context object with the data that the user will be processing > with their script. > > Has anyone done something like this? I have a small bit of code started > using uglify but am wondering if there are some other projects or design > ideas I can pluck from before getting to deep into the weeds. > > Thanks > > Kevin > -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to nodejs@googlegroups.com To unsubscribe from this group, send email to nodejs+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en