Quantcast
Channel: ClearScript
Viewing all articles
Browse latest Browse all 2297

New Post: Sandboxing and security

0
0
Hello jusbuc2k!

Does your statement "If you don't expose any host objects, JavaScript code can only access built-ins such as Math" only apply when using the V8 Engine?

No, it applies to all supported script engines. ClearScript does not add or remove anything from a script engine at instantiation time. Well, actually, no, that's not 100% true. ClearScript does create an object named EngineInternal for its own use, but it does not remove any built-ins.

It seems like if you use Microsoft.ClearScript.Windows.JScriptEngine for example, you could use ActiveXObject as an exploit.

Yes, that's correct. ActiveXObject is a JScript built-in. If that's a concern, you might want to do something like this before running unknown script code:
engine.Execute("delete ActiveXObject");
Good luck!

Viewing all articles
Browse latest Browse all 2297