Secure by default

[rluvaton]

Currently the JavaScript evaluation is enabled by default which is a bad practice, I know this project is not maintained anymore but given the case I would like to know if you would merge a PR that disable the evaluation by default

JavaScript evaluation is very dangerous if coming from user input (even if it's running in a sandbox) for example, the following path will cause Heap out of Memory error:

const { JSONPath } = require('jsonpath-plus');

JSONPath({
  json: { nonEmpty: 'object' },
  path: '$..[?(' +
'(function a(arr){' +
'a([...arr, ...arr])' +
'})([1]);)]'
});

[brettz9]

Yes, normally, I'd agree that a project should go with safe-by-default, but as this project has been long around, derived from jsonpath which also had the same issue, I think we would be taking away too much functionality from users accustomed to the project if we are not providing at least a subset of filtering expressions without eval. Until such time as we can have a safe sandbox on by default, one can opt into preventEval.

[80avin]

Hey @rluvaton , not sure if relevant now but JSONPath-Plus is now safe by default.
And the expression you entered fails with error

index-browser-umd.cjs:1694 Uncaught Error: Unexpected "{" at character 16