On Monday, January 12, 2015 at 2:42:59 AM UTC-5, Ivar Nesje wrote: > > Note that there might be a security issue, because whoever inputs data to > your program also get the ability to run arbitrary code on the computer. In > a local setting where everyone who input data, also have access to changing > the code, this isn't an issue, but be careful if you plan to take input > from strangers (eg on a Web server).
In principle, you could call parse() on the string first, then walk the AST to check that it only contains one of a small whitelist of allowed expression types, and only then evaluate the parsed expression.
