Hello jusbuc2k!
No, it applies to all supported script engines. ClearScript does not add or remove anything from a script engine at instantiation time. Well, actually, no, that's not 100% true. ClearScript does create an object named
Yes, that's correct.
Good luck!
Does your statement "If you don't expose any host objects, JavaScript code can only access built-ins such as Math" only apply when using the V8 Engine?
No, it applies to all supported script engines. ClearScript does not add or remove anything from a script engine at instantiation time. Well, actually, no, that's not 100% true. ClearScript does create an object named
EngineInternal for its own use, but it does not remove any built-ins.
It seems like if you use Microsoft.ClearScript.Windows.JScriptEngine for example, you could use ActiveXObject as an exploit.
Yes, that's correct.
ActiveXObject is a JScript built-in. If that's a concern, you might want to do something like this before running unknown script code:
engine.Execute("delete ActiveXObject");
