I have a javascript file that reads another file which may contain javascript fragments that need to be eval()-ed. The script fragments are supposed to conform to a strict subset of javascript that limits what they can do and which variables they can change, but I want to know if there is some way to enforce this by preventing the eval from seeing variables in the global scope. Something like the following:
function safeEval( fragment ) { var localVariable = g_Variable; { // do magic scoping here so that the eval fragment can see localVariable // but not g_Variable or anything else outside function scope eval( fragment ); } } The actual code doesn’t need to look like this–I’m open to any and all weird tricks with closures, etc. But I do want to know if this is even possible.
Short answer: No. If it’s in the global scope, it’s available to anything.
Long answer: if you’re
eval()ing untrusted code that really wants to read or mess with your execution environment, you’re screwed. But if you own and trust all code being executed, including that beingeval()ed, you can fake it by overriding the execution context:Again, I must stress: