How can I achieve safe user-generated client script execution?

Question

So we all know that eval is bad, and allowing users to create their own JavaScripts to run on your site is just potentially VERY dangerous, opening doors to all kinds of security risks.

My challenge however, is to come up with a solution, to allow users to create their own custom script snippets, that will execute on the client side. These scripts are basically prediction algorithms, that allow each individual user to build their very own customized prediction strategy, calculating and processing a set of data provided to them via AJAX.

Basically, on regular time intervals, an AJAX request is made by the system, a JS event is trigerred, notifying the client side each time new data has arrived. The above user scripts are allowed to hook into/subscribe to this event, executing the users algorithm on the received data, and outputting the result of their algorithm.

The following problem I have...If I allow users to create their own JavaScripts, they can pull all kinds of fancy tricks, like make cross browser unauthorized AJAX requests, invoke unintended input events and in plain short...attempt to hack the system with malicious intent.

I need to encapsulate these scripts, restricting them from using the browser context. For example they cannot make AJAX requests, or invoke click events on the page. The only access they have is to the data supplied, via a pre-determined input>process>output interface.

So my question is, how can my site, give users, SAFE, limited, scripting access? Is there for example a Lua script parser written in JavaScript or something likewise that can be utilised?

Answer 1

Would something like ADsafe work for your site?