JSONFormField should absolutely not be eval-ing user-supplied content.
fletom opened this issue · comments
Think hiding __builtins__
helps? Nope.
(x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'catch_warnings').next()()._module.__builtins__
Good point, that should certainly be disabled by default. Will commit shortly.