How can I make external code 'safe' to run? Just ban eval()?

Question

I\'d like to be able to allow community members to supply their own javascript code for others to use, because the users\' imaginations are collectively far greater than any

Answer 1

You need to execute the untrusted code in a sandboxed environment. This means creating an iframe with the sandbox attribute (see this article), and additionally create a web-worker inside that frame (so that the code runs in a separate thread and does not hang up the UI in case if user has submitted something strange).

If you need to interact somehow with the code sandboxed in the described way, the messaging mechanism can be used. This is a bit tricky, but there are some libraries simplifying the task, including one created by myself: https://github.com/asvd/jailed