Safely sandbox and execute user submitted JavaScript?

Solution 1:

You can use sandbox support in nodejs with vm.runInContext('js code', context), sample in api documentation:

https://nodejs.org/api/vm.html#vm_vm_runinthiscontext_code_options

const util = require('util');
const vm = require('vm');

const sandbox = { globalVar: 1 };
vm.createContext(sandbox);

for (var i = 0; i < 10; ++i) {
    vm.runInContext('globalVar *= 2;', sandbox);
}
console.log(util.inspect(sandbox));

// { globalVar: 1024 }

WARN: As pointed by "s4y" it seems to be flawled. Please look at the comments.

Solution 2:

One alternative would be to use http://github.com/patriksimek/vm2:

$ npm install vm2

then:

const {VM} = require('vm2');
const vm = new VM();

vm.run(`1 + 1`);  // => 2

as mentioned in comments of other answers.

I don't know how secure it is, but it at least claims that it runs untrusted code securely (in its README). And I couldn't find any obvious security issues so far as solutions suggested in other answers here.