Thanks for your suggestions. I'm the author of math.js working on these fixes. If feasible, a whitelist is safer than a blacklist of course. However, math.js supports objects like JavaScript, and these objects can have arbitrary properties. A naive whitelist would simply render these completely blocked. An option could be to try to distinguish between own properties and inherited properties but that gives issues too with regular methods on classes. It's not so easy to "just" create a whitelist and put it in place (and... which place or places?). I try to understand the underlying cause and try to put security measures at the right place rather than a hail-shot all over the place. I'm no security expert so it's a bit of a search. I'm really happy with all people helping to find and report more issues in this regard!
A first approach was to try to put security checks right before executing any function. That didn't work out since the parser doesn't have control over all function executions: for example not over the ones invoked by Array.forEach and Array.map. A second approach was to blacklist the "constructor" property since all issues did go via constructor and managed to call Function that way. That wasn't enough either. Current approach is to guard the values of symbols and properties (the places where unknown stuff can come in) and test whether there value equals Function. To be continued I think...
@nicolewhite algebra.js looks really interesting. I hadn't seen it before. Maybe we can somehow join forces (I'm the author or math.js). If you're interested just drop me a mail or open a discussion on github.
@pachydermic you can use math.parse("abx + c = y") which returns an expression tree. You can perform transformations on this tree. See docs: http://mathjs.org/docs/expressions/expression_trees.html. There is an early implementation of algebraic differentiation (not yet public): https://github.com/josdejong/mathjs/pull/411. Next step is to implement functions simplify and integrate. It all looks very promising.
A first approach was to try to put security checks right before executing any function. That didn't work out since the parser doesn't have control over all function executions: for example not over the ones invoked by Array.forEach and Array.map. A second approach was to blacklist the "constructor" property since all issues did go via constructor and managed to call Function that way. That wasn't enough either. Current approach is to guard the values of symbols and properties (the places where unknown stuff can come in) and test whether there value equals Function. To be continued I think...