-
Notifications
You must be signed in to change notification settings - Fork 55
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security? #29
Comments
In expression it is possible to call any public methods that are available in objects passed in the context. It is not possible to call static (or extension) methods in any way. This means that you can control what is possible to call by providing evaluation context. |
User will not be able to declare a variable (e.g. File) within an expression? |
No, it is not possible to call smth like File.ReadAllText() directly. |
I mean smth like "(new FileInfo("whatever")).DoWhatever()"? |
In expression user cannot create .NET object directly. "new" works for creation of an array or Dictionary. |
Ok, last question :) |
Sure you can include any 'helper' functions into evaluation context. Smth like this:
|
I can see from the examples that the expression can invoke native methods, like ToUpper. Is that safe to use when expressions are entered by a web application users?
Actually I'm looking for a simple math parser with conditional support ("if...else"), but all the solutions I found (yet) are using code generation in one way or another, which in my case is both overkill and security risk.
The text was updated successfully, but these errors were encountered: