Don't add comment on last line.

akuukis

main:

console.log("I am going to error on next line");
// Some comment without newline at the end of last
// comment.


It gives error // comment })()

tanuk

Is this possibly exploitable? This allows escaping the context in which the user code is supposed to run. This code doesn't generate any errors, even though it appears invalid:

console.log("Hello world!")})(); console.log("42"); (function foo(){

That prints "Hello world!" and "42" to the console. "Hello world!" is printed from the normal script context, but "42" is printed from a context where user code is not supposed to run. I don't know if that context allows users to do anything nasty.

avdg_

In my code, I wrap my code within new Function(<code>);. While I use this to keep simple syntax errors out of the code, this also could help avoiding user code doing unexpected things.

See https://github.com/avdg/screeps/blob/39d36cf49b358d2615b65ce73131e625a7ab14b4/lib/codegen/extensions.js#L332

On live code, a simple wrapper around the code should be enough be enough. Just make sure that there is a newline behind the code injection.

I'm using this wrapper in my code: https://github.com/avdg/screeps/blob/39d36cf49b358d2615b65ce73131e625a7ab14b4/lib/codegen/extensions.js#L193