Eval, literal eval, safe eval

Michał Wadas michalwadas at gmail.com
Sun Nov 23 03:27:22 PST 2014


Introdution:
- eval executes piece of code
- eval can not be safely used with external input
- Python's ast.literal_eval would be almost useless in modern
JavaScript (almost all data types can be easily send as JSON)

literal_eval description:
>The string or node provided may only consist of the following Python literal structures: strings, numbers, tuples, lists, dicts, booleans, and None.



My proposition is "safe eval".
Safe eval ( eval.safe(string: code, callback) ) should perform theses steps:
- Create isolated realm without capabilities to perform almost any IO
(implementation dependant - no XHR, no importScript, no require)
- evaluate code in context of created realm
- post result of last evaluated expression back to creator realm using
structured-clone algorithm
- call callback with returned data

Pros:
+ sandbox offered by language
+ easy to run in other thread
+ quite easy to polyfill
+ servers can send computations to users
+
Cons:
- Realm creation can be costly (but implementations can solve this
problem in many ways)
- proposal does not include support for asynchronous operations


More information about the es-discuss mailing list