Safely sandbox and execute user submitted JavaScript?

You can use sandbox support in nodejs with vm.runInContext(‘js code’, context), sample in api documentation: https://nodejs.org/api/vm.html#vm_vm_runinthiscontext_code_options const util = require(‘util’); const vm = require(‘vm’); const sandbox = { globalVar: 1 }; vm.createContext(sandbox); for (var i = 0; i < 10; ++i) { vm.runInContext(‘globalVar *= 2;’, sandbox); } console.log(util.inspect(sandbox)); // { globalVar: 1024 } WARN: As … Read more

Refused to execute inline event handler because it violates CSP. (SANDBOX)

Answer for your non sandbox related question: You have something in your code like this: <button onclick=”myFunction()”>Click me</button> In a nutshell this is not allowed in chrome apps and extensions. Change this to the following and it will work: html: <button id=”myButton”>Click me</button> <script src=”https://stackoverflow.com/questions/36324333/script.js”></script> script.js: document.getElementById(“myButton”).addEventListener(“click”, myFunction); function myFunction(){ console.log(‘asd’); } Long story: In … Read more

How can I create a secure Lua sandbox?

You can set the function environment that you run the untrusted code in via setfenv(). Here’s an outline: local env = {ipairs} setfenv(user_script, env) pcall(user_script) The user_script function can only access what is in its environment. So you can then explicitly add in the functions that you want the untrusted code to have access to … Read more