From aa150989bd38746dd410a2121a40f962e6337c22 Mon Sep 17 00:00:00 2001
From: Andrew Kingston <aptkingston@ssl-mail.com>
Date: Wed, 13 Oct 2021 14:37:14 +0100
Subject: [PATCH] Prevent executing JS bindings when running in a Node env

---
 packages/string-templates/src/helpers/javascript.js | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/packages/string-templates/src/helpers/javascript.js b/packages/string-templates/src/helpers/javascript.js
index ad8c96ae5d..2c2802c64c 100644
--- a/packages/string-templates/src/helpers/javascript.js
+++ b/packages/string-templates/src/helpers/javascript.js
@@ -39,13 +39,23 @@ const atob = base64 => {
 
 // Evaluates JS code against a certain context
 module.exports.processJS = (handlebars, context) => {
+  // Do not evaluate JS in a node environment
+  if (typeof window === "undefined") {
+    return "JS bindings are not executed in a Node environment"
+  }
+
   try {
     // Wrap JS in a function and immediately invoke it.
     // This is required to allow the final `return` statement to be valid.
     const js = `function run(){${atob(handlebars)}};run();`
 
     // Our $ context function gets a value from context
-    const sandboxContext = { $: path => getContextValue(path, context) }
+    const sandboxContext = {
+      $: path => getContextValue(path, context),
+      alert: undefined,
+      setInterval: undefined,
+      setTimeout: undefined,
+    }
 
     // Create a sandbox with out context and run the JS
     vm.createContext(sandboxContext)