There are two cases within the system that allow the client to send scripts to the server for evaluation.
- Filters and/or queries: It is legal to send a filter to the server which reads something like this -
- System API: The API call AJAXEvaluate allows the client to run arbitrary scripts on the server and receive a response.
If you enable script sandboxing, the script being evaluated via either of these two entry points runs within a reduced rights sandbox with the following characteristics:
- Only those business rules marked client callable are available within the sandbox.
- Only those script includes marked client callable are available within the sandbox.
- Certain API calls (largely but not entirely limited to those dealing with direct DB access) are not allowed.
- Data cannot be inserted, updated, or deleted from within the sandbox. Any calls to current.update(), for example, are ignored.
If you run the system without script sandboxing enabled, then none of these restrictions apply.
Note: This property is activated by default when you activate the High Security
Settings plugin. Do not activate this property outside of the plugin.
Run client generated scripts (AJAXEvaluate and query conditions) inside of a reduced
If enabled, only those business rules and script includes with the Client
callable checkbox set to true are available and certain back-end API calls
Enabled (sandbox in use)