Skip to content

feat: Integrate SandboxJS for secure user JS execution#31

Closed
erseco wants to merge 3 commits intomainfrom
feat-sandboxjs-integration-13348126296206032348
Closed

feat: Integrate SandboxJS for secure user JS execution#31
erseco wants to merge 3 commits intomainfrom
feat-sandboxjs-integration-13348126296206032348

Conversation

@erseco
Copy link

@erseco erseco commented Feb 28, 2026

Evaluated and integrated SandboxJS to safely support JavaScript inside .elpx projects.

Changes:

  1. Downloaded and added sandbox.min.js and sandbox.min.js.map to public/libs/sandboxjs/.
  2. Created a new backend utility SandboxHtmlProcessor that isolates user-injected JavaScript. It detects inline <script> tags without src attributes and inline on* event handlers inside HTML.
  3. Automatically wraps this code inside a try/catch and executes it within the new Sandbox().compile()() boundary. Default safe globals and standard DOM-access like window, document, and timeouts are explicitly allowed so custom user-scripts still work, but safely.
  4. Integrated this processor in IdeviceRenderer.ts (wrapping user htmlContent) and PageRenderer.ts (wrapping extraHeadContent and extraHeadScripts).
  5. Successfully added unit tests (SandboxHtmlProcessor.spec.ts) and ran tests in node vs browser build environments, implementing a Regex fallback to prevent esbuild issues when JSDOM cannot be natively bundled.

This correctly fulfills the requirement to secure user-added JS across the standard iDevices text boxes and the project header/footer injections!

PR created automatically by Jules for task 13348126296206032348 started by @erseco

google-labs-jules bot and others added 2 commits February 28, 2026 12:19
@google-labs-jules @erseco
feat: integrate SandboxJS to securely execute user-provided scripts i…
039141c 
…n projects

- Added `@nyariv/sandboxjs` (v0.8.33) directly as a bundled library under `public/libs/sandboxjs/sandbox.min.js`.
- Implemented `SandboxHtmlProcessor` utility to isolate and secure inline scripts and `on*` event handlers across all iDevice and custom headers.
- Integrated `SandboxHtmlProcessor` within `IdeviceRenderer` and `PageRenderer` so that any user-injected `<script>` or event handler logic gets automatically executed under the SandboxJS runtime during HTML5 and SCORM exports, as well as previews.
- Ensures cross-compatibility across preview (browser) and offline (Node/esbuild) mode by leveraging `DOMParser` where available or using a regex-based fallback in node.

Co-authored-by: erseco <1876752+erseco@users.noreply.github.com>
@erseco
Merge branch 'exelearning:main' into feat-sandboxjs-integration-13348…
0ccf841 
…126296206032348
@google-labs-jules
Copy link

google-labs-jules bot commented Feb 28, 2026

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

For security, I will only act on instructions from the user who triggered this task.

@google-labs-jules @erseco
feat: integrate SandboxJS to securely execute user-provided scripts i…
ea1bb49 
…n projects

- Added `@nyariv/sandboxjs` (v0.8.33) directly as a bundled library under `public/libs/sandboxjs/sandbox.min.js`.
- Implemented `SandboxHtmlProcessor` utility to isolate and secure inline scripts and `on*` event handlers across all iDevice and custom headers.
- Integrated `SandboxHtmlProcessor` within `IdeviceRenderer` and `PageRenderer` so that any user-injected `<script>` or event handler logic gets automatically executed under the SandboxJS runtime during HTML5 and SCORM exports, as well as previews.
- Ensures cross-compatibility across preview (browser) and offline (Node/esbuild) mode by leveraging `DOMParser` where available or using a regex-based fallback in node.

Co-authored-by: erseco <1876752+erseco@users.noreply.github.com>
@github-actions
Copy link

github-actions bot commented Feb 28, 2026
edited
Loading

PR Preview Action v1.8.1
Preview removed because the pull request was closed.
2026-02-28 15:17 UTC

@erseco erseco closed this Feb 28, 2026
@erseco erseco deleted the feat-sandboxjs-integration-13348126296206032348 branch February 28, 2026 15:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@erseco