I’m trying to use Douglas Crockford’s ADsafe library. I thought it is supposed to

Question

0

Asked: May 25, 20262026-05-25T03:08:01+00:00 2026-05-25T03:08:01+00:00

I’m trying to use Douglas Crockford’s ADsafe library. I thought it is supposed to

0

I’m trying to use Douglas Crockford’s ADsafe library.
I thought it is supposed to restrict the JavaScript that can be used, but it seems to be letting dangerous calls through, such as eval().

Here’s an example of the sandbox not restricting anything:

<html>
<head>
<title>ADsafe Widget Template</title>
</head>
<body>
    <script src="adsafe.js"></script>

    <div id="WIDGET_">
    <script>
        ADSAFE.go("WIDGET_", function (dom, lib) {
            "use strict";

            // 
            // ADsafe is allowing these to execute!!
            // 
            window.alert("window.alert is working :(");
            eval('window.alert("hello from eval")');
            window.location = "http://www.google.com";
        });
    </script>
    </div>
</body>
</html>

Does anybody know how the ADsafe sandbox is supposed to work?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-25T03:08:02+00:00

Editorial Team

2026-05-25T03:08:02+00:00Added an answer on May 25, 2026 at 3:08 am

As far as I can tell, ADsafe does not actually check your code for these violations. You are expected to use JSLint with ADsafe options enabled, to parse any untrusted JavaScript and verify that there are no ADsafe violations, before using it.

Anyone, please correct me if this is wrong.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I’m trying to use Douglas Crockford’s ADsafe library. I thought it is supposed to

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply