Introdution: - eval executes piece of code - eval can not be safely used with external input - Python's ast.literal_eval would be almost useless in modern JavaScript (almost all data types can be easily send as JSON)
literal_eval description: >The string or node provided may only consist of the following Python literal >structures: strings, numbers, tuples, lists, dicts, booleans, and None. My proposition is "safe eval". Safe eval ( eval.safe(string: code, callback) ) should perform theses steps: - Create isolated realm without capabilities to perform almost any IO (implementation dependant - no XHR, no importScript, no require) - evaluate code in context of created realm - post result of last evaluated expression back to creator realm using structured-clone algorithm - call callback with returned data Pros: + sandbox offered by language + easy to run in other thread + quite easy to polyfill + servers can send computations to users + Cons: - Realm creation can be costly (but implementations can solve this problem in many ways) - proposal does not include support for asynchronous operations _______________________________________________ es-discuss mailing list es-discuss@mozilla.org https://mail.mozilla.org/listinfo/es-discuss
