Hi Tomaso,
Originally ClearScript supported only JScript and VBScript. As far as we know, these script engines don't have syntax checking APIs, nor do they support compilation. V8 supports compilation, so we added
A script with syntax errors can't be executed, so it can't have harmful side effects. On the other hand, if a script originates from an untrusted source, checking its syntax won't guarantee that it's bug free and won't abuse your host objects. The best approach is to expose a host API that prevents scripts from doing damage by exposing read-only operations when possible, enforcing limits, etc.
Please send us your further thoughts.
Happy New Year!
is it a design choice to prevent syntax checking and script compilation from being called independently from script execution?
Originally ClearScript supported only JScript and VBScript. As far as we know, these script engines don't have syntax checking APIs, nor do they support compilation. V8 supports compilation, so we added
V8ScriptEngine.Compile().
But if execution leads to side effects on host objects, I'd prefer to make a syntax check before exec instead of realizing that script was wrong once several host objects have been changed.
A script with syntax errors can't be executed, so it can't have harmful side effects. On the other hand, if a script originates from an untrusted source, checking its syntax won't guarantee that it's bug free and won't abuse your host objects. The best approach is to expose a host API that prevents scripts from doing damage by exposing read-only operations when possible, enforcing limits, etc.
Please send us your further thoughts.
Happy New Year!