Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
function construct(constructor, args) {
function F() {
return constructor.apply(this, args);
}
F.prototype = constructor.prototype;
return new F();
}
// Sanboxer
function sandboxcode(string, inject) {
"use strict";
var globals = ["Function"];
for (var i in window) {
// <--REMOVE THIS CONDITION
if (i != "console")
// REMOVE THIS CONDITION -->
globals.push(i);
}
// The strict mode prevents access to the global object through an anonymous function (function(){return this;}()));
globals.push('"use strict";\n'+string);
return construct(Function, globals).apply(inject ? inject : {});
}
sandboxcode('console.log( this, window, top , self, parent, this["jQuery"], (function(){return this;}()));');
// => Object {} undefined undefined undefined undefined undefined undefined
console.log("return of this", sandboxcode('return this;', {window:"sanboxed code"}));
// => Object {window: "sanboxed code"}
/*
this generates an anonymous function like this
function anonymous(top,window,location,external,chrome,document,bencode,bendecode,fileinput,handleFile,data,construct,sandboxcode,speechSynthesis,webkitNotifications,localStorage,sessionStorage,applicationCache,webkitStorageInfo,indexedDB,webkitIndexedDB,crypto,CSS,performance,devicePixelRatio,styleMedia,parent,opener,frames,self,defaultstatus,defaultStatus,status,name,length,closed,pageYOffset,pageXOffset,scrollY,scrollX,screenTop,screenLeft,screenY,screenX,innerWidth,innerHeight,outerWidth,outerHeight,offscreenBuffering,frameElement,clientInformation,navigator,toolbar,statusbar,scrollbars,personalbar,menubar,locationbar,history,screen,postMessage,close,blur,focus,ondeviceorientation,ondevicemotion,onunload,onstorage,onresize,onpopstate,onpageshow,onpagehide,ononline,onoffline,onmessage,onhashchange,onbeforeunload,onwaiting,onvolumechange,ontimeupdate,onsuspend,onsubmit,onstalled,onshow,onselect,onseeking,onseeked,onscroll,onreset,onratechange,onprogress,onplaying,onplay,onpause,onmousewheel,onmouseup,onmouseover,onmouseout,onmousemove,onmouseleave,onmouseenter,onmousedown,onloadstart,onloadedmetadata,onloadeddata,onload,onkeyup,onkeypress,onkeydown,oninvalid,oninput,onfocus,onerror,onended,onemptied,ondurationchange,ondrop,ondragstart,ondragover,ondragleave,ondragenter,ondragend,ondrag,ondblclick,oncuechange,oncontextmenu,onclose,onclick,onchange,oncanplaythrough,oncanplay,oncancel,onblur,onabort,onwheel,onwebkittransitionend,onwebkitanimationstart,onwebkitanimationiteration,onwebkitanimationend,ontransitionend,onsearch,getSelection,print,stop,open,showModalDialog,alert,confirm,prompt,find,scrollBy,scrollTo,scroll,moveBy,moveTo,resizeBy,resizeTo,matchMedia,requestAnimationFrame,cancelAnimationFrame,webkitRequestAnimationFrame,webkitCancelAnimationFrame,webkitCancelRequestAnimationFrame,captureEvents,releaseEvents,atob,btoa,setTimeout,clearTimeout,setInterval,clearInterval,TEMPORARY,PERSISTENT,getComputedStyle,getMatchedCSSRules,webkitConvertPointFromPageToNode,webkitConvertPointFromNodeToPage,webkitRequestFileSystem,webkitResolveLocalFileSystemURL,openDatabase,addEventListener,removeEventListener,dispatchEvent
) {
"use strict";
return this;
} */
@yonixw

This comment has been minimized.

Copy link

@yonixw yonixw commented Dec 28, 2018

Copied from : https://stackoverflow.com/a/22214371/1997873

  • Trivial to get window back from that. sandboxcode('console.log((0,eval)("this"))') – Ry- Jun 3 '15 at 19:44

  • I'll have to figure out how to prevent that – alejandro Jul 5 '15 at 5:17

  • @alejandro Did you find a way to prevent that? – Wilt Dec 14 '15 at 13:07

  • Broke my head until I just realized you can do eval = 0 globally before calling the sandbox (storing the original function in a temp) and then both global window.eval and eval wont be accessible. Next Hack please! Because I actually consider this option. – YoniXw

My implementation just adds:
function sbx(s,p) {e = eval; eval = function(t){console.log("GOT GOOD")}; sandboxcode(s,p); eval =e}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.