Firefox javascript sandboxing
Published 18 years ago • Last updated March 22, 2025 • ⏱️ 2 min read
As a technical challenge and maybe in future to allow Hackvertor to execute javascript code from the user. I decided to create a javascript sandbox.
It works by first running the code through a new Function constructor and tosource, the reason for this is that Firefox actually converts the code supplied e.g. 'te\st' becomes 'test' etc. Then a private function is created to handle the supplied code, it loops through global objects and assigns each of them as a local variable to remove dangerous functions. Underscores are removed from the code because I found it impossible to secure parent as it cannot be redefined. The global Function is overwritten and the constructor to prevent access to new Function() calls.
Giorgio Maone found some excellent holes in my code which hopefully I've fixed now. Giorgio makes the excellent noscript simply the best Firefox extension on the net! Thanks Giorgio :)
Update...
Waldo on the slackers forum found some excellent vectors to slip through the sandbox. I've updated the script to take into account that there are millions of ways to return to the window object in Javascript. This time I've changed the sandbox to nullify the actual window object properties and restore them when the sandbox is run. Big thanks to Waldo for the awesome stuff, more of his sandbox breaking (for Facebook) can be viewed here.
So join in the fun and see if you can execute code:- Firefox sandbox