• author: CodeDonor

Safely Executing User Code in the Browser: A Big Challenge

As web developers, we often face big challenges that appear daunting at first glance. One such challenge is executing user code safely in the browser. In this article, we will delve into the various aspects of this challenge and explore some strategies for getting around it.

Big Challenges Two and Three Solved

Before we dive in, let's take a moment to acknowledge two big challenges that we have already conquered: transpiling advanced JavaScript syntax (including async/await and JSX) and processing import statements for other JavaScript files (including npm packages) and CSS files. These are no small feats, and we can now turn our attention to the next big challenge on our list.

Evaluating User Code Safely

The first step in the process of executing user code in the browser is to understand what we mean by "safely." How can we ensure that the code we are executing does not cause harm to our application or our users?

One way to execute arbitrary JavaScript code contained in a string is by using the eval() function that is built into the browser. However, this function has a checkered history and is notorious for being a security risk. Before we explore why, let's look at how easily we can execute code using eval().

In our index.tsx file, we have an onClick function that triggers our bundler, which in turn transpiles and bundles our code, storing the result in text state variable. We can execute this code in the browser by passing it to eval().


We can also import packages like Axios and access them from the browser console.

importAxiosfrom'axios';console.log(Axios);// {defaults: {…}, get: ƒ, post: ƒ, put: ƒ, patch: ƒ, …}window.axios=Axios;// Expose Axios to the global `window` object

However, it is important to note that this approach has some significant limitations and risks.

Limitations and Risks

Here are some of the potential problems we face when using eval() to execute user code:

  • Syntax Errors: If the user code contains syntax errors, it will not execute, causing frustration for users who may not understand why their code is not working.

  • Runtime Errors: Even if the code passes syntax checks, it may still cause problems in runtime. For example, users may accidentally invoke a non-existent function or reference an undefined variable, causing the application to crash.

  • Performance Issues:eval() can be slower than other approaches, especially if the code being executed is large or complex.

  • Security Risks:eval() can be used to execute arbitrary code that can cause harm to our application or our users. For example, a malicious user could inject code that steals cookies or personal data.

Using try...catch Block

How can we handle these limitations and avoid the risks associated with eval()? One way is to wrap the eval() function in a try...catch block. This way, if the code contained in text state variable causes an error, the error will be caught and we can take appropriate action.


If we wanted, we could prompt the user with an error message or log the error to a database to help us troubleshoot and improve our application.

Asynchronous Code Pitfalls

However, the try...catch approach has its own limitations. For example, it cannot catch errors that happen outside the scope of the block. Asynchronous code executed with setTImeout() or other functions can potentially cause errors that are not caught by our try...catch block.

setTimeout(()=>{console.log('Triggering a runtime error!');console.log(undefinedVariable);// Trying to access an undefined variable},100);

To handle asynchronous code correctly, we need to employ other strategies and techniques.

Other Code Execution Strategies

In addition to eval(), there are other ways to execute user code in the browser that are considered safer and more efficient. These include:

  • Function Constructor: We can create a new function constructor using the user code and execute the return value. This approach avoids the security risks associated with eval()

  • Web Worker: We can execute user code outside the main thread of our application by using a web worker. This approach provides a more secure and efficient way to execute code.

  • Sandboxing: We can create a sandbox environment for executing user code by using an iframe or other techniques. This allows us to isolate the code and avoid the security risks associated with eval().

Each approach has its own strengths and weaknesses, and the best solution depends on the specific requirements of our application.


Executing user code safely in the browser is a big challenge that requires careful consideration and planning. While eval() provides a quick and easy way to execute code, it also introduces significant security risks. Other strategies, such as function constructors, web workers, and sandboxing, provide safer and more efficient alternatives. By understanding the limitations and risks of eval() and exploring other approaches, we can build more secure and reliable applications that meet the needs of our users.

Previous Post

Mitigating Challenges of Running User Code: Errors, Dom Manipulation, and Security Risks

Next Post

Using the ES Build Service: A Beginner's Guide to Transpiling with ES Build

About The auther

New Posts

Popular Post