peterqliu

Eval web demo Security Caveats This code runs in a Worker with { permissions: { write: false, read: false, net: false } } . This is likely very safe, but if you enable network access keep in mind that users might generate junk network traffic or attempt to make infinite loops. If sandboxed code knows the name of one of your private vals it will be able to import the code with import "https://esm.town/v/maxm/private" . If you enabled write: true in the Worker, the unix socket that Deno uses to communicate with the host can be deleted and intercepted. This might mean that evaluated code can steal the socket and read the next request. You should not use this to evaluate code that should not be read by a previous evaluation. All code is running on the same process and you are not protected from exotic attacks like speculative execution. Overview You can use this library to evaluate code: import { evalCode } from "https://esm.town/maxm/eval" console.log(await evalCode("export const foo = 1")) // => 1 You can use this library with https://www.val.town/v/maxm/transformEvalCode to return the last value without needing to export it. This is how the /eval api endpoint used to work and makes the library preform similarly to a repl. import { evalCode } from "https://esm.town/maxm/eval" import { transform } from "https://esm.town/maxm/transformEvalCode" console.log(await evalCode(transform("1+1"))) // => 2 Here's an example UI application that demonstrates how you can string this all together: https://maxm-evalui.web.val.run/ (source: https://www.val.town/v/maxm/evalUI) Security Model Code is evaluated using a dynamic import within a Worker. await import(`data:text/tsx,${encodeURIComponent(e.data)}`); Running the code withing a Worker prevents access to GlobalThis and window from leaking between evals. Similarly, access to Deno.env is prevented and evaluations will see errors when trying to access any environment variables. TODO: what else?

Handling query params in requests Using the standard URL#searchParams method, you can grab query parameters out of any val that is operating using the Web API . This val demonstrates how to grab one or more query parameters. It returns the all the query parameters found as a json response.