simonw

I was interested to see that this uses the DukPy wrapper around Duktape for the JavaScript interpreter: https://browser.engineering/scripts.html

This made me start digging into whether this was considered a "safe" way of executing untrusted JavaScript in a sandbox.

It's not completely clear to me if DukPy currently attempts safe evaluation - it's missing options for setting time or memory limits on executed code for example: https://github.com/amol-/dukpy

There's a QuickJS Python wrapper here which offers those limits: https://github.com/PetterS/quickjs

I'm pretty paranoid though any time it comes to security and dependencies written in C, so I'd love to see a Python wrapper around a JavaScript engine that has safe sandbox execution as a key goal plus an extensive track record to back it up!

ameliaquining
If you want battle-hardened, I figure you can't do better than V8. Here's a Python wrapper that I've poked at a bit (it's not quite 100% feature-complete but it seems to essentially work): https://github.com/sqreen/PyMiniRacer