Crippling PHP to Allow Some User-Submitted Scripts

[RestlessThoughts]

Hi! I'd like to allow some user-submitted plugins or custom code bits on pages. I'm basically making an online game generator for dummies and would like to allow some extra customization.

 

Obviously I don't want to offer the full capability of php. I found safer eval and I believe with php's tokenizer I could make a parser to check user-submitted scripts for malicious coding against a white list. (For html cleaning I'd use htmlpurifier, though I haven't found a good solution for any CSS or Javascript yet. The php cleaning seems a larger road block anyway.)

 

I was wondering if anyone here had a better solution? I don't want to make up my own coding language and I would prefer not to have to look over each script before use.

 

I know this is a bad idea in general, sorry if I give anyone a heart attack by my even considering doing this and thank you in advance for any help!

[trq]

If you have the ability to install extensions ive had some success with a similar concept within one of my CMS's.

 

http://aurore.net/projects/php-js/

 

php-js is a php extension embedding the Spidermonkey Javascript engine into php, thus allowing your users to provide plugin code written in Javascript using an API that you can define yourself.

[RestlessThoughts]

Thank you, that looks very interesting!

I'm pretty rusty with Js, but that looks very much like what I'm wanting.