On 2015-11-06 1:12 PM, Brion Vibber wrote:
Of course there are interesting possibilities like using JS as a template module extension language in place of / addition to Lua. A general warning: as I understand the php-embed bridge, JS-side code would a) have full rights to the system within the user the daemon runs as, and b) exiting/failing out of node would kill the entire daemon.
node has a built in vm https://nodejs.org/api/vm.html module that is regularly used to execute sandboxed js that doesn't have access to the privileged node api. This code doesn't have access to `process.exit()` and PHP's concept of fatal errors (in addition to thrown exceptions) that immediately halt the process and can't be caught doesn't exist in JS. Sandboxing against infinite loops could also be done by running the sandbox in another process (child_process even has a high-level message passing stream for communicating with a node js child process).
That all being said. I still think the original rationale for picking lua (more sandboxing controls including execution limits based on steps in lua rather than varying execution time) is still valid.
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://danielfriesen.name/]