From 7821de8db3b0e261b1cc4813d6622b01a803348e Mon Sep 17 00:00:00 2001 From: Joshua Peek Date: Mon, 22 Dec 2014 23:30:32 -0600 Subject: [PATCH] Note security --- README.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index a84f397..98e9d24 100644 --- a/README.md +++ b/README.md @@ -52,11 +52,18 @@ in. If you want to access the Node API, you should check another library like [commonjs.rb](https://github.com/cowboyd/commonjs.rb) designed to provide a consistent interface. -**Why can't I use `setTimeout`** +**Why can't I use `setTimeout`?** For similar reasons as modules, not all runtimes guarantee a full JavaScript event loop. So `setTimeout`, `setInterval` and other timers are not defined. +**Can I ExecJS be used to sandbox scripts?** + +No, ExecJS shouldn't be used for any security related sandboxing. Since runtimes +are automatically detected, each runtime has different sandboxing properties. +You shouldn't use `ExecJS.eval` on any inputs you wouldn't feel comfortable Ruby +`eval()`ing. + # License