Nice!  It is definitely handy to have a tool such as this at your disposal.  I did notice that it only works in Firefox though...I'm using a Mac.  I first tried to use it with Safari and it didn't work.  I noticed similar issues with Google Chrome.  Javascript cross-browser compatibility issues are always a pain.  All of that aside, this works nicely in Firefox and is very cool.

Regarding the sandboxing...I haven't had a chance to look at your code.  Are you running a servlet here?  If so, maybe a servlet sandbox would take care of some issues...such as prohibiting alteration of your application code.

Hope this helps, and thanks for the cool app.

Josh Juneau
Twitter ID:  javajuneau

On Fri, Mar 12, 2010 at 1:05 PM, Tom Nichols <> wrote:
Hello again, Jython community,

I'd first like to point out an early version of the Python web console:
Powered by Jython!  This is similar to TryPython, except more in the
spirit of the Groovy Web Console where scripts can be published and

I know, the irony level is pretty high here, but I thought it could be
a good showcase for Jython.  However, I'm not entirely comfortable
with the level of sandboxing done for scripts currently.  If I _want_
my scripts to run in a totally isolated environment, with an isolated
classloader (so that generated classes can be thrown away,) how would
I do that?  As I mentioned before, I'm not clear on how to set a
classloader per PythonInterpreter instance, and it appears that a
static classloader is used.  Will defined classes eventually pile up
over time and never be GC'd?

If anyone can point to documentation or give advice on how to properly
isolate and sandbox scripts, that would be great.  In addition, please
feel free to play with the console, tell your friends, and report any
bugs and suggestions for improvement back to me.

The full source can be downloaded from github as well:


2010/3/4 Tom Nichols <>:
> Hi Jython community,
> I'm trying to determine how one would sandbox an untrusted Jython
> script evaluated with PythonInterpreter.
> So far I've figured out that I can create a new PythonInterpreter with
> a new PySystemState every time, which will discard locals after every
> script execution.  However I've noticed that PySystemState uses a lot
> of static fields to keep track of various things.  Is it possible for
> an evaluated python script to affect some static portions of
> PySystemState?
> A secondary question is how to restrict scripts from accessing classes
> that are part of the application.  I don't want scripts to modify my
> data model or reconfigure the web server.  It looks like PySystemState
> takes two classloaders in its static initialize routine -- are one of
> them used to load classes that are referenced from evaluated scripts?
> Some context -- I'm attempting to write an online python script
> interpreter, similar to TryPython, TryRuby, and the Groovy Web
> Console.  Actually I want this to be more like the Groovy Web Console
> where users can publish and share scripts.  I teach an intro to Python
> class and I want my students to share scripts that they've created.
> The app itself will run on Google AppEngine (ironically not the Python
> runtime, since that is apparently more difficult to sandbox).  Since
> Jython is meant to be embedded, I'm hoping someone has figured out how
> to sandbox it properly.
> Thanks in advance for the advice.
> -Tom

Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
Jython-users mailing list