preprocessor is very injectable

Question

AndrewRayCode opened this issue 6 years ago · 1 comments

#if console.log(1)
#endif

This library is not currently safe to use in any browser nor node environment where user input is allowed.

Answer 1 · 2019-01-06T11:44:56.000Z

@AndrewRayCode
In 66cf524 replaced eval with vm. Now that is safer.
If you know unsafe cases, I may integrate math-eval instead.