Missed the group reply.
Hi Kevin,
Specifically if you know you're in a ES5-strict mode compliant js engine,
like a modern V8 to use this, load caja.js and initialize caja as follows:
caja.initialize({ forceES5Mode: true });
caja.load(undefined /* if you don't need a dom */, caja.policy.net.ALL /*
your url policy */, function (frame) {
frame.code('a base url', 'text/javascript', '...your js code')
.run();
});
To expose more apis to this isolated code, please see
https://developers.google.com/caja/
jas
On Wednesday, July 11, 2012 9:52:05 AM UTC-7, Kevin O wrote:
>
> We are working on an app where we want to give users the ability to upload
> JS scripts to process their data in our app.
>
> Insane, right? :) Well we are going to do it in a sane way or not do it
> at all. We understand the risks.
>
> I want to take raw JS input from the user, generate an AST,
> cleanse/evaluate/mangle it, then "re-compile" to minified JS *only* when
> we know is safe. If the script is doing unsafe things, we'll return
> compiler errors. Our compiler needs to be able to limit the JS globals to a
> short "whitelist". i.e. stuff like eval() is not available within the
> script.
>
> Scripts will be run in our node app using vm.runInNewContext(). We will
> pass in a context object with the data that the user will be processing
> with their script.
>
> Has anyone done something like this? I have a small bit of code started
> using uglify but am wondering if there are some other projects or design
> ideas I can pluck from before getting to deep into the weeds.
>
> Thanks
>
> Kevin
>
--
Job Board: http://jobs.nodejs.org/
Posting guidelines:
https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to nodejs@googlegroups.com
To unsubscribe from this group, send email to
nodejs+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en
