From 1bd0897fd862984ccac5dea43baa6416a1d9b9b6 Mon Sep 17 00:00:00 2001
From: Andrew Kingston <aptkingston@ssl-mail.com>
Date: Thu, 14 Oct 2021 12:02:34 +0100
Subject: [PATCH] Block certain browser API's when executing JS in the browser

---
 packages/string-templates/src/helpers/javascript.js | 7 +------
 packages/string-templates/src/index.mjs             | 6 ++++++
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/packages/string-templates/src/helpers/javascript.js b/packages/string-templates/src/helpers/javascript.js
index e96212ecb6..42e8a1508a 100644
--- a/packages/string-templates/src/helpers/javascript.js
+++ b/packages/string-templates/src/helpers/javascript.js
@@ -39,12 +39,7 @@ module.exports.processJS = (handlebars, context) => {
     const js = `function run(){${atob(handlebars)}};run();`
 
     // Our $ context function gets a value from context
-    const sandboxContext = {
-      $: path => getContextValue(path, context),
-      alert: undefined,
-      setInterval: undefined,
-      setTimeout: undefined,
-    }
+    const sandboxContext = { $: path => getContextValue(path, context) }
 
     // Create a sandbox with out context and run the JS
     return runJS(js, sandboxContext)
diff --git a/packages/string-templates/src/index.mjs b/packages/string-templates/src/index.mjs
index abb74d4ac4..446e71ef88 100644
--- a/packages/string-templates/src/index.mjs
+++ b/packages/string-templates/src/index.mjs
@@ -20,6 +20,12 @@ export const processObject = templates.processObject
  * Use polyfilled vm to run JS scripts in a browser Env
  */
 setJSRunner((js, context) => {
+  context = {
+    ...context,
+    alert: undefined,
+    setInterval: undefined,
+    setTimeout: undefined,
+  }
   vm.createContext(context)
   return vm.runInNewContext(js, context, { timeout: 1000 })
 })
\ No newline at end of file