How to increase the security of Expression and avoid being executed evil javascript code

[WoeOm]

Version

Reproduction link
https://sunmao-ui.com/dev.html
Steps to reproduce
Inside the Text component, enter {{alert()}}
What is expected?

What is actually happening?

[tanbowensg]

Good point. Sunmao uses new function() to run the code in Expression, so the expression will run globally and Sunmao can not prevent expression from running.

But there is a simple workaround to solve this problem to some extent, which is overriding some dangerous global variables(like alert) when evaluating expressions. Maybe we can add it into next version.

[WoeOm]

javascript sandbox is very tricky problem.

But lowcode allows access to third-party apis, and the return values of apis such as (alert(), GetSessionToken(), eval()) may also be executed through {{api.result}}.

[Yuyz0112]

One thing I'm thinking about is how should we define 'dangerous code'.

Because in sunmao, the expressions were written by the app developer, the people that can responsible for the code.

[Yuyz0112]

Another point is whether the expression system cause XSS happens easier. I think the answer is yes and there is something we can improve.