Semi-sandboxing Javascript eval

Question

Background: I\'m working on a framework/library to be used for a specific site in coordination with greasemonkey/userscripts. This framework/library will al

Answer 1

You can do something like this: http://jsfiddle.net/g68NP/

Problem is that you'll have to add a lot of code to protect every property, every native method, etc. The meat of the code really comes down to using __defineGetter__, whose support is limited. Since you're probably not running this on IE, you should be fine.

EDIT: http://jsfiddle.net/g68NP/1/ This code will make all properties read-only. The use of hasOwnProperty() may or may not be desirable.

In case JSFiddle goes down:

function safeEval(input) {
    // Remove eval and evalJS from the window:
    var e = [window.eval, window.evalJS, document.getElementById], a;
    window.eval = function(){};
    window.evalJS = function(){};
    document.getElementById = function (id) {
        var elem = (e[2]).call(document, id);
        for (var prop in elem) {
            if (elem.hasOwnProperty(prop)) {
                elem.__defineGetter__(prop, function () {
                    return (function (val) {
                        return val;
                    }(elem[prop]));
                });
            }                
        }
        return elem;
    };

    try {
        /* More sanition needed before being passed to eval */

        // Eval the input, stuffed into an annonomous function
        // so the code to be evalued can not access the stored
        // eval functions:
        a = (e[0])("(function(){return " + input + "}())");
    } catch(ex){}

    // Return eval and evalJS to the window:
    window.eval = e[0];
    window.evalJS = e[1];
    document.getElementById = e[2];

    // Return the eval'd result
    return a;
}