I am using QJSEngine to let the user script custom data transforms in my application. I understand QJSEngine is not sandboxed and runs at the same privelege level as my application. Does this have security implications I need to worry about? I am not exposing any application objects to QJSEngine.
I tried a few things:
Opening a url:
window.open();
Reading a file:
new XMLHttpRequest();
Accessing the registry:
new ActiveXObject("WScript.Shell");
None of these worked. So is there anything nasty a user can do from inside QJSEngine? If so, what?