Caja contains the original-SES, which still works fine, but mostly supports only the features from EcmaScript 5 with a few select elements of EcmaScript 6.
SES is built on modern JavaScript and supports modern JavaScript --- including all of the EcmaScript 2018 standard. It is also much faster than the original-SES in Caja. SES is a joint effort of Agoric and Salesforce. Unlike Caja, SES runs everywhere modern JavaScript runs, including both browser and Node. See
OTOH, Caja contains Domado, which is a taming of the browser and DOM APIs, so that you can give your untrusted code access to a subtree of you DOM tree. We expect to reproduce this functionality eventually on modern SES but, currently, we are not treating it as urgent. If you need Domado functionality in order to use SES rather than Caja, please let us know.
Yes, this is what Caja was designed to do. You may not need all of
Caja, though. Can you tell us more about what you'd like to allow
them to do?
On Mon, Jan 7, 2019 at 8:32 AM Yehonathan Sharvit <vie...@gmail.com> wrote:
>
> Hello Caja folks,
>
> I'd like to allow users to eval javascript code snippets on my website.
> But eval is too dangerous.
>
> I was thinking of using Caja to provide a sanitized version of eval.
>
> Is it possible with caja to evaluate dynamic code snippets provided by users?
> If yes, how?
>
> Thanks,
> Yehonathan
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to google-caja-dis...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Mike Stay - meta...@gmail.com
http://math.ucr.edu/~mike
https://reperiendi.wordpress.com
--
---
You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-caja-dis...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--