Published 16 years 11 months ago • Last updated March 22, 2025 • ⏱️ 2 min read
I've been slowly developing JSReg over the last few months and I've dropped lots of code and redone it many times. This latest version is a code rewriter and will sandbox most javascript properties and the goal is to produce a complete locked down version (which can be improved upon later).
So far it's going well, I think the experience of hacking sandboxes and hacking my own code has resulted in a better version. I'd like to thank Sirdarckcat (Eduardo Vela) for testing and giving me some great suggestions.
There are a couple of bugs and limitations, at the moment arrays don't work because of a bug in [] object syntax. I hope to fix this soon though. It also eats new lines when using functions or other stuff, you can get round this at the moment by using ; after the function declaration. The alert function is only supported at the minute but I plan to add more once the code is a bit more stable. Finally there is no DOS protection at the minute and you can probably throw objects in the global scope although you should be able to access other globals or modify them.
So can you break it? Execute code not intended like Function or maybe access global variables other than the $_ prefix and suffix allowed.
Here is a code sample that works fine:-
<pre lang="javascript"> function x(){ var m=1; this.getM=function(){ return m; } }; y=new x; y.getM() </pre>