How can I make external code 'safe' to run? Just ban eval()?

Question

I\'d like to be able to allow community members to supply their own javascript code for others to use, because the users\' imaginations are collectively far greater than any

Answer 1

No, you practically can't prevent user provided Javascript code to run whatever it wants - even disallowing eval() can't prevent it to run arbitrary programs (it could be a Javascript interpreter itself, in which case it just implements the eval() function, and many other ways - eg. it can add HTML with some event handlers in string form, then execute them, it can document.write() a new script etc.).

If your site doesn't need this user supplied JS to run on other users' computers, I'd just put a big fat warning, add some human control (that could flag rogue code as such), maybe some antivirus software on the server (don't know much about that).