
Show HN: Duktape-eval – a eval library built on Duktape and WebAssembly - maple3142
https://github.com/maple3142/duktape-eval
======
jitl
Consider looking into QuickJS
([https://bellard.org/quickjs/](https://bellard.org/quickjs/)) instead which
has more impressive standards support than Duktape.

Figma has a series of blog posts on sandboxing Javascript in the browser for
their plugins API:

[https://www.figma.com/blog/how-we-built-the-figma-plugin-
sys...](https://www.figma.com/blog/how-we-built-the-figma-plugin-system/)

[https://www.figma.com/blog/an-update-on-plugin-
security/](https://www.figma.com/blog/an-update-on-plugin-security/)

tl;dr they use QuickJS via WebAssembly at the moment.

~~~
lioeters
I noticed the GitHub repo's been updated to include a QuickJS version.

[https://github.com/maple3142/wasm-jseval](https://github.com/maple3142/wasm-
jseval)

------
zemnmez
What's the benefit of doing it this way vs in a traditional <iframe
sandbox="allow-scripts"/> ?

------
cocktailpeanuts
Is this completely secure? I think this point should be addressed as the main
selling point if it does.

~~~
K0nserv
Nothing is completely secure, if you find a WASM escape you can trigger from
JS within Ducktape it wouldn't be secure for example.

But yes, outside of escapes like that, it should be safe to run arbitrary JS
via this mechanism.

------
creativeembassy
Intriguing! Opens up some interesting possibilities. User-submitted javascript
for manipulating data, without exposing other users to XSS attacks?

