JS lang engines should cache the @sandbox vals that it cares about #41

Closed
max99x opened this Issue Jun 23, 2011 · 3 comments

Comments

Projects
None yet
2 participants
Owner

max99x commented Jun 23, 2011

Users can modify the sandbox's eval, which breaks the REPL. E.g. in CoffeeScript:

>>> 5
==> 5
>>> eval = 42
>>> 5
TypeError: number is not a function

This also applies to any other sandboxed object. We should cache these in the engine constructor.

Owner

amasad commented Jun 23, 2011

If we cache it in the top window we can't use it in the iframe (try it).

On Thu, Jun 23, 2011 at 4:32 AM, max99x <
reply@reply.github.com>wrote:

Users can modify the sandbox's eval, which breaks the REPL. E.g. in
CoffeeScript:

5
==> 5
eval = 42
5
TypeError: number is not a function

We should cache it in the engine constructor.

Reply to this email directly or view it on GitHub:
https://github.com/amasad/jsrepl/issues/41

Amjad Masad

Owner

max99x commented Jun 23, 2011

We can cache it inside the sandbox in an __eval or some such. The other objects should work fine though.

Owner

max99x commented Jun 23, 2011

Ok, I've kinda fixed this by caching compilers as instance data and eval as @sandbox.__eval. Not a complete fix, but reasonable. An interesting alternative we could look into is to force strict mode by prefixing every eval with a 'use strict';. Move already does it, and it prevents eval overwriting. However, I'm not sure which browsers other than Chrome use engines that support this. There may also be a way to work around this using properties, but I haven't looked too deep into this.

@max99x max99x closed this Jun 23, 2011

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment