Skip to content

Instantly share code, notes, and snippets.

@getify

getify/sandbox.js

Last active Jul 21, 2020
Embed
What would you like to do?
function sandboxJS(js) {
var whitelist = ["alert","console","navigator","location"];
var handlers = {
has(target,key,context) {
if (whitelist.indexOf(key) >= 0) {
return Reflect.has(
target, key, context
);
}
else {
throw new Error("Not allowed: " + key);
}
}
};
var proxy = new Proxy(window,handlers);
var proxyName = `proxy${Math.floor(Math.random() * 1E9)}`;
var fn = new Function(proxyName,`with(${proxyName}){${js}}`);
return fn.call(this,proxy);
}
sandboxJS("console.log(2)"); // 2
sandboxJS("console.log(history)"); // Error, Not allowed: history
@hackvertor

This comment has been minimized.

Copy link

@hackvertor hackvertor commented Jul 2, 2020

sandboxJS("}eval('alert(1337)');{");

@hackvertor

This comment has been minimized.

Copy link

@hackvertor hackvertor commented Jul 2, 2020

sandboxJS("[].constructor.prototype.indexOf=x=>1");
sandboxJS("eval('top.alert(1337)')");

@hackvertor

This comment has been minimized.

Copy link

@hackvertor hackvertor commented Jul 2, 2020

sandboxJS("''.sub.constructor('eval(alert(1337))')()");

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment