Whitelisting Javascript input

Question

I need to execute javascript code that is written by users. Of course I must assume the javascript to be malicious. I have a global object in the page which the scripts must interact with, but I don't wan the script to be able to access anything else including the DOM, jQuery, and the window object.

Would it be possible to modify incoming javascript to strip out anything that I have not explicitly white listed?

For example:

function modField(){
  if(!f.alpha.enabled){
    f.main.enabled = /960/.test(f.productName.text);
    f.name = document.getElementById('#username');
  }

}

Would become after cleaning:

function modField(){
  if(!f.alpha.enabled){
    f.main.enabled = /960/.test(f.productName.text);
  }

}

How do I do this?

As in [Is It Possible to Sandbox JavaScript Running In the browser?](http://stackoverflow.com/questions/195149/is-it-possible-to-sandbox-javascript-running-in-the-browser) ? — Alex K., Nov 16 '16 at 16:49
@Novice indeed - if the code if _just_ ran in the browser of the user who wrote it, then there is no need for security. After all, they can just open the console anyway. If it's going to run on somebody else's browser, then you'd need to be careful. — VLAZ, Nov 16 '16 at 17:01
Where are you gonna run the code, if it's on the client side then why worry? **Let them burn their machines**! If you are running this code on your servers(like codepens) then it becomes a problem. — Vinay, Nov 16 '16 at 17:05
@vlaz yes there is no point imposing restrictions on client side, a determined hacker would eventually break any security measure a developer may wish to impose.In js it's much easier people use closures for secret stuff (like key handling) but even that can be cracked. — Vinay, Nov 16 '16 at 17:11
I'm going to need to run this code both server-side and in the browser. On the server side It will end up being executed in V8, but it will need to run in the browser as well. — Prichmp, Nov 16 '16 at 17:23
I've thought about Google Caja, but would that work server side? It seems like it needs access to the window object. — Prichmp, Nov 16 '16 at 17:26
[Ummm...](http://i.imgur.com/kM94WJp.png) what's up with the comments? Why is my comment responding to Novice _before_ his comment? — VLAZ, Nov 16 '16 at 17:30
@Gamebear anyway, if you're going to run it _on the server_ I assume you're using JS for the server-side language. Presumably Node. There are other sandbox modules that can be used there. — VLAZ, Nov 16 '16 at 17:31
@vlaz OK perhaps what I do is run it in one of these Node sandboxes serverside, and run it with Caja browserside. If you want to write that up as an answer I'll mark it as correct. — Prichmp, Nov 16 '16 at 20:42
@Gamebear I don't think it's worth an answer. It's just information from other questions - I wasn't aware of Caja until it was linked here, but I have seen the question being asked for Node. Can't really be bothered to search for questions there right now, somewhay because they might be out of date - there are likely to be more sandbox modules for Node, so I don't think there can be "one true" answer for that. Hence, just spreading the word for their existence. — VLAZ, Nov 16 '16 at 22:27

Whitelisting Javascript input

0 Answers0