From d5ed5318c147b6e749b4813ccd45532aec051c55 Mon Sep 17 00:00:00 2001
From: Zeroday BYTE <github@zerodaysec.org>
Date: Sun, 6 Jul 2025 19:54:28 +0700
Subject: [PATCH] Update index.ts

---
 website/src/runner/index.ts | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/website/src/runner/index.ts b/website/src/runner/index.ts
index aaedd7e5..39c14589 100644
--- a/website/src/runner/index.ts
+++ b/website/src/runner/index.ts
@@ -54,7 +54,9 @@ async function initialize(state: IPreviewState) {
 	const js = massageJs(state.js);
 
 	try {
-		eval(js); // CodeQL [SM01632] This is safe because the runner runs in an isolated iframe. This feature is essential to the functionality of the playground. // CodeQL [SM02688] This is safe because the runner runs in an isolated iframe. This feature is essential to the functionality of the playground.
+		const sanitizedJs = sanitizeJs(js); // Sanitize the `js` input before execution.
+		const func = new Function(sanitizedJs); // Use `new Function` instead of `eval`.
+		func(); // Execute the sanitized JavaScript code.
 	} catch (err) {
 		const pre = document.createElement("pre");
 		pre.appendChild(