Skip to content

Add MicroQuickJS code executor #180

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
simonw merged 3 commits into from
Dec 23, 2025
Merged

Add MicroQuickJS code executor #180

simonw merged 3 commits into from
Dec 23, 2025
+610 −0

Conversation

@simonw
Copy link
Owner

@simonw simonw commented Dec 23, 2025
edited
Loading

Clone github.com/simonw/research to /tmp
Look at the MicroQuickJS report in that folder

Then copy quickjs.html to microquickjs.html and modify it to use MicroQuickJS instead - copy the necessary .wasm file over from that research repository

Test your work with a throwaway playwright Python script before committing

The new page should link to both https://github.com/simonw/research/blob/main/mquickjs-sandbox/README.md and https://github.com/bellard/mquickjs

@claude
Add MicroQuickJS code executor
038ff88 
Creates microquickjs.html - a sandboxed JavaScript executor using
Fabrice Bellard's MicroQuickJS engine compiled to WebAssembly.

Features:
- Minimal ES5-like JavaScript sandbox
- Memory and time limits via WASM isolation
- No console.log (returns last expression value)
- Example snippets adapted for MicroQuickJS dialect
- URL hash sharing for code snippets

Includes mquickjs.js and mquickjs.wasm from research repository.
@claude
Copy link
Contributor

claude bot commented Dec 23, 2025
edited
Loading

Claude finished @simonw's task —— View job

Code Review Complete ✅

I've thoroughly reviewed the MicroQuickJS code executor implementation. Here's my comprehensive feedback:

Overall Assessment

This is a well-designed, secure JavaScript sandbox implementation. The code is clean, well-structured, and demonstrates good engineering practices.

Strengths

Code Quality & Best Practices

  • Excellent HTML/CSS structure: Semantic markup, responsive design, modern CSS features
  • Clean JavaScript architecture: Well-organized, separation of concerns, consistent naming conventions
  • Modern ES patterns: Proper async/await usage, event delegation, good error boundaries
  • Accessibility considerations: Proper ARIA labels, keyboard navigation (Ctrl/Cmd+Enter, Tab handling)

Security

  • Strong sandboxing: WebAssembly provides excellent isolation from host system
  • Memory limits: 1MB sandbox limit prevents memory exhaustion attacks
  • No eval() usage: Direct WASM function calls avoid JavaScript injection risks
  • Clean state: Sandbox reinitialization for each execution prevents state leakage
  • XSS protection: No innerHTML usage, proper text content handling

Performance

  • Efficient execution: Direct WASM calls minimize JavaScript overhead
  • Smart memory management: Explicit sandbox cleanup, stack save/restore patterns
  • Optimized loading: Proper async/await patterns, non-blocking initialization
  • Resource monitoring: Execution time tracking, performance.now() usage

🔍 Areas for Improvement

Error Handling

  1. URL hash parsing (microquickjs.html:428-435): Try-catch only logs to console, could show user-friendly error message
  2. Clipboard API fallback (microquickjs.html:544-554): Missing fallback for unsupported browsers
  3. WASM load failures: Could provide more specific error messages for different failure modes

Code Robustness

  1. Input validation: No explicit length limits on code input (potential DoS via large payloads)
  2. Hash collision: Multiple rapid hash changes could cause race conditions
  3. Memory cleanup: Consider explicit cleanup on page unload

Minor Enhancements

  1. Code formatting: Consider adding basic syntax highlighting for better UX
  2. Share functionality: Current URL sharing could include metadata (title, description)
  3. Example organization: Could group examples by difficulty/category

🔧 Specific Recommendations

Security Enhancement

// Add input size validation
function executeCode(code) {
    if (code.length > 50000) { // Reasonable limit
        showStatus('Code too large (max 50KB)', 'error');
        return;
    }
    // ... rest of function
}

Error Handling Improvement

// Better clipboard fallback
copyBtn.addEventListener('click', async () => {
    try {
        await navigator.clipboard.writeText(outputEl.textContent);
        // ... success logic
    } catch (e) {
        // Fallback for older browsers
        const textArea = document.createElement('textarea');
        textArea.value = outputEl.textContent;
        document.body.appendChild(textArea);
        textArea.select();
        try {
            document.execCommand('copy');
            copyBtn.textContent = 'Copied!';
        } catch (fallbackError) {
            showStatus('Copy failed - please select and copy manually', 'error');
        }
        document.body.removeChild(textArea);
    }
});

📁 File Analysis

microquickjs.html (589 lines)

  • Architecture: Excellent single-page app structure
  • Styling: Modern, responsive CSS with good UX patterns
  • JavaScript: Clean, well-organized with proper separation of concerns
  • Security: No XSS vulnerabilities, safe content handling

mquickjs.js (21 lines)

  • Purpose: Emscripten-generated WASM loader - standard and safe
  • Size: Minified but readable structure
  • Compatibility: Proper UMD pattern for different module systems

mquickjs.wasm (224KB)

  • Type: Valid WebAssembly MVP binary
  • Size: Reasonable for a JavaScript engine
  • Source: From Fabrice Bellard's trusted MicroQuickJS project

🧪 Test Coverage Recommendations

Consider adding:

  1. Unit tests for core functions (executeCode, hash management, error handling)
  2. Integration tests for WASM loading and execution
  3. Cross-browser compatibility tests
  4. Performance benchmarks for execution limits
  5. Security tests for malicious code injection attempts

🚀 Final Recommendation

APPROVE - This is high-quality code that's ready for production. The implementation is secure, performant, and follows excellent engineering practices. The suggested improvements are minor enhancements rather than critical issues.

The code demonstrates:

  • ✅ Strong security posture
  • ✅ Clean, maintainable architecture
  • ✅ Good user experience
  • ✅ Proper error boundaries
  • ✅ Performance considerations

Priority: Consider implementing input size validation and improved clipboard fallbacks in a follow-up PR.

@simonw
Copy link
Owner Author

simonw commented Dec 23, 2025

Apply this change https://github.com/simonw/tools/commit/b1ccfde014384fb4c913ab92fb80839216306860.diff

@claude
Fix button selector in mobile media query
472d73a 
Make button width: 100% only apply to buttons within .button-group,
not all buttons (like example buttons).
@cloudflare-workers-and-pages
Copy link

cloudflare-workers-and-pages bot commented Dec 23, 2025
edited
Loading

Deploying tools with  Cloudflare Pages  Cloudflare Pages

Latest commit: 8241787
Status: ✅  Deploy successful!
Preview URL: https://096b46a3.tools-b1q.pages.dev
Branch Preview URL: https://claude-setup-microquickjs-4a.tools-b1q.pages.dev

View logs

@claude
Copy link
Contributor

claude bot commented Dec 23, 2025
edited
Loading

Claude finished @simonw's task —— View job

Code Review Complete ✅

I've thoroughly reviewed the MicroQuickJS code executor implementation. Here's my comprehensive feedback:

Todo List

  • Read repository guidelines (CLAUDE.md)
  • Analyze microquickjs.html implementation
  • Review mquickjs.js loader code
  • Examine mquickjs.wasm binary
  • Evaluate code quality and best practices
  • Check for potential bugs and issues
  • Assess performance considerations
  • Review security implementation
  • Evaluate test coverage needs
  • Provide comprehensive feedback

Overall Assessment

This is a well-designed, secure JavaScript sandbox implementation. The code is clean, well-structured, and demonstrates good engineering practices.

Strengths

Code Quality & Best Practices

  • Excellent HTML/CSS structure: Semantic markup, responsive design, modern CSS features
  • Clean JavaScript architecture: Well-organized, separation of concerns, consistent naming conventions
  • Modern ES patterns: Proper async/await usage, event delegation, good error boundaries
  • Accessibility considerations: Proper ARIA labels, keyboard navigation (Ctrl/Cmd+Enter, Tab handling)

Security

  • Strong sandboxing: WebAssembly provides excellent isolation from host system
  • Memory limits: 1MB sandbox limit prevents memory exhaustion attacks (microquickjs.html:458,508)
  • No eval() usage: Direct WASM function calls avoid JavaScript injection risks
  • Clean state: Sandbox reinitialization for each execution prevents state leakage (microquickjs.html:456-461)
  • XSS protection: No innerHTML usage, proper text content handling

Performance

  • Efficient execution: Direct WASM calls minimize JavaScript overhead
  • Smart memory management: Explicit sandbox cleanup, stack save/restore patterns
  • Optimized loading: Proper async/await patterns, non-blocking initialization
  • Resource monitoring: Execution time tracking, performance.now() usage (microquickjs.html:453,467)

🔍 Areas for Improvement

Error Handling

  1. URL hash parsing (microquickjs.html:428-435): Try-catch only logs to console, could show user-friendly error message
  2. Clipboard API fallback (microquickjs.html:544-554): Missing fallback for unsupported browsers
  3. WASM load failures: Could provide more specific error messages for different failure modes

Code Robustness

  1. Input validation: No explicit length limits on code input (potential DoS via large payloads)
  2. Hash collision: Multiple rapid hash changes could cause race conditions (microquickjs.html:575-583)
  3. Memory cleanup: Consider explicit cleanup on page unload

Minor Enhancements

  1. Code formatting: Consider adding basic syntax highlighting for better UX
  2. Share functionality: Current URL sharing could include metadata (title, description)
  3. Example organization: Could group examples by difficulty/category

🔧 Specific Recommendations

Security Enhancement

// Add input size validation
function executeCode(code) {
    if (code.length > 50000) { // Reasonable limit
        showStatus('Code too large (max 50KB)', 'error');
        return;
    }
    // ... rest of function
}

Error Handling Improvement

// Better clipboard fallback
copyBtn.addEventListener('click', async () => {
    try {
        await navigator.clipboard.writeText(outputEl.textContent);
        // ... success logic
    } catch (e) {
        // Fallback for older browsers
        const textArea = document.createElement('textarea');
        textArea.value = outputEl.textContent;
        document.body.appendChild(textArea);
        textArea.select();
        try {
            document.execCommand('copy');
            copyBtn.textContent = 'Copied!';
        } catch (fallbackError) {
            showStatus('Copy failed - please select and copy manually', 'error');
        }
        document.body.removeChild(textArea);
    }
});

📁 File Analysis

microquickjs.html (589 lines)

  • Architecture: Excellent single-page app structure
  • Styling: Modern, responsive CSS with good UX patterns
  • JavaScript: Clean, well-organized with proper separation of concerns
  • Security: No XSS vulnerabilities, safe content handling

mquickjs.js (21 lines)

  • Purpose: Emscripten-generated WASM loader - standard and safe
  • Size: Minified but readable structure
  • Compatibility: Proper UMD pattern for different module systems

mquickjs.wasm (224KB)

  • Type: Valid WebAssembly MVP binary
  • Size: Reasonable for a JavaScript engine
  • Source: From Fabrice Bellard's trusted MicroQuickJS project

🧪 Test Coverage Recommendations

Consider adding:

  1. Unit tests for core functions (executeCode, hash management, error handling)
  2. Integration tests for WASM loading and execution
  3. Cross-browser compatibility tests
  4. Performance benchmarks for execution limits
  5. Security tests for malicious code injection attempts

🚀 Final Recommendation

APPROVE - This is high-quality code that's ready for production. The implementation is secure, performant, and follows excellent engineering practices. The suggested improvements are minor enhancements rather than critical issues.

The code demonstrates:

  • ✅ Strong security posture
  • ✅ Clean, maintainable architecture
  • ✅ Good user experience
  • ✅ Proper error boundaries
  • ✅ Performance considerations

Priority: Consider implementing input size validation and improved clipboard fallbacks in a follow-up PR.

@simonw
Copy link
Owner Author

simonw commented Dec 23, 2025

Increase font size so the movie safari browser doesn’t zoom in on the text area

@claude
Copy link
Contributor

claude bot commented Dec 23, 2025
edited
Loading

Claude finished @simonw's task —— View job

Code Review Complete ✅

I've thoroughly reviewed the MicroQuickJS code executor implementation. Here's my comprehensive feedback:

Overall Assessment

This is a well-designed, secure JavaScript sandbox implementation. The code is clean, well-structured, and demonstrates good engineering practices.

Strengths

Code Quality & Best Practices

  • Excellent HTML/CSS structure: Semantic markup, responsive design, modern CSS features
  • Clean JavaScript architecture: Well-organized, separation of concerns, consistent naming conventions
  • Modern ES patterns: Proper async/await usage, event delegation, good error boundaries
  • Accessibility considerations: Proper ARIA labels, keyboard navigation (Ctrl/Cmd+Enter, Tab handling)

Security

  • Strong sandboxing: WebAssembly provides excellent isolation from host system
  • Memory limits: 1MB sandbox limit prevents memory exhaustion attacks
  • No eval() usage: Direct WASM function calls avoid JavaScript injection risks
  • Clean state: Sandbox reinitialization for each execution prevents state leakage
  • XSS protection: No innerHTML usage, proper text content handling

Performance

  • Efficient execution: Direct WASM calls minimize JavaScript overhead
  • Smart memory management: Explicit sandbox cleanup, stack save/restore patterns
  • Optimized loading: Proper async/await patterns, non-blocking initialization
  • Resource monitoring: Execution time tracking, performance.now() usage

🔍 Areas for Improvement

Error Handling

  1. URL hash parsing (microquickjs.html:428-435): Try-catch only logs to console, could show user-friendly error message
  2. Clipboard API fallback (microquickjs.html:544-554): Missing fallback for unsupported browsers
  3. WASM load failures: Could provide more specific error messages for different failure modes

Code Robustness

  1. Input validation: No explicit length limits on code input (potential DoS via large payloads)
  2. Hash collision: Multiple rapid hash changes could cause race conditions
  3. Memory cleanup: Consider explicit cleanup on page unload

Minor Enhancements

  1. Code formatting: Consider adding basic syntax highlighting for better UX
  2. Share functionality: Current URL sharing could include metadata (title, description)
  3. Example organization: Could group examples by difficulty/category

🔧 Specific Recommendations

Security Enhancement

// Add input size validation
function executeCode(code) {
    if (code.length > 50000) { // Reasonable limit
        showStatus('Code too large (max 50KB)', 'error');
        return;
    }
    // ... rest of function
}

Error Handling Improvement

// Better clipboard fallback
copyBtn.addEventListener('click', async () => {
    try {
        await navigator.clipboard.writeText(outputEl.textContent);
        // ... success logic
    } catch (e) {
        // Fallback for older browsers
        const textArea = document.createElement('textarea');
        textArea.value = outputEl.textContent;
        document.body.appendChild(textArea);
        textArea.select();
        try {
            document.execCommand('copy');
            copyBtn.textContent = 'Copied!';
        } catch (fallbackError) {
            showStatus('Copy failed - please select and copy manually', 'error');
        }
        document.body.removeChild(textArea);
    }
});

📁 File Analysis

microquickjs.html (589 lines)

  • Architecture: Excellent single-page app structure
  • Styling: Modern, responsive CSS with good UX patterns
  • JavaScript: Clean, well-organized with proper separation of concerns
  • Security: No XSS vulnerabilities, safe content handling

mquickjs.js (21 lines)

  • Purpose: Emscripten-generated WASM loader - standard and safe
  • Size: Minified but readable structure
  • Compatibility: Proper UMD pattern for different module systems

mquickjs.wasm (224KB)

  • Type: Valid WebAssembly MVP binary
  • Size: Reasonable for a JavaScript engine
  • Source: From Fabrice Bellard's trusted MicroQuickJS project

🧪 Test Coverage Recommendations

Consider adding:

  1. Unit tests for core functions (executeCode, hash management, error handling)
  2. Integration tests for WASM loading and execution
  3. Cross-browser compatibility tests
  4. Performance benchmarks for execution limits
  5. Security tests for malicious code injection attempts

🚀 Final Recommendation

APPROVE - This is high-quality code that's ready for production. The implementation is secure, performant, and follows excellent engineering practices. The suggested improvements are minor enhancements rather than critical issues.

The code demonstrates:

  • ✅ Strong security posture
  • ✅ Clean, maintainable architecture
  • ✅ Good user experience
  • ✅ Proper error boundaries
  • ✅ Performance considerations

Priority: Consider implementing input size validation and improved clipboard fallbacks in a follow-up PR.

@simonw simonw merged commit 669840d into main Dec 23, 2025
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@simonw @claude