How to add scripting to an editor?

Hi all,

I’m trying to add scripting to my editor but I can’t make it work right.
I have a main scene, that serves a purpose to an editor, where you can drag models around, change textures, import models and so on.

Because there is a main scene that has features I can’t dispose of it and just create a new one with the new changes from code editor like in the playground.

What would be the best approach for adding code dynamically to the scene but without remembering the previous changes?

If I do something like this

scene.registerBeforeRender(() => {
    box.rotation.x += 0.01;

Every time the execute code is clicked, the box will spin faster and faster.
The scene is created once and after that the user code is appended.

I’m using function constructors to create the code from the editor. Also a side question, is using eval or function constructors safe if the user code does not touch the server?

I would like to make that editor available to other people when it’s done of course, it’s been great fun so far.

If you want to load some assets, do some stuff with them, and then reload them in their original state, I believe as AssetContainer would work for you. You can load and add assets to the container and add and remove them from the scene. Another option would be to clone or instance each object the scripts can interact with (hiding the original) and then simply dispose of the instance and create a new instance. The former will manage the list of all assets added to it for you, whereas the latter you have to manage yourself, but it is easier to create multiple instances of a subset of the objects in inventory. Be advised that when cloning or instancing some properties don’t get cloned by default so you could be sharing those across instances. if I was going this route, I would use the instantiateHierarchy function on Mesh so you can be very deliberate about what you want cloned.

Neither Function or eval are particularly safe, but Function is generally safer. I would recommend creating a stripped down API that only exposes the functions you want your scripts to perform and inject that into the scripts, so that the scripts are constrained and don’t have full access to your code.

1 Like

Probably this thread may help - Custom JavaScript Interpreter/Parser?

1 Like

Thank you, AssetContainer seems to be what I was missing.

I was thinking about, instead of creating my own functions to let anyone write just babylon or plain js code.
That code wont be executed on the server just locally, is there any real risk then?

Thank you it was helpful

The risk is that you may end up exposing aspects of your code you don’t want exposed. Could a user be tricked into downloading an executing a script? If so, that script could potentially execute code as that user. If that user is a privileged user, the executed code could grant admin privileges to a guest account to allow that guest user to take admin control of the system or perfrom other admin actions that the script author wants.

Even if you aren’t worried about that, you may end up exposing aspects of BJS that you aren’t equipped to deal with script changing. If your code is eventually intended for production use, I highly recommend you build an API that narrows the scope of what the script can do to things that will always produce a predictable outcome for your app.


The user could not be tricked into downloading a script from someone else, just their own.
I understand why building the API would be better security wise, but i would rather allow to write BJS code allowing for much more functionality if there are no real security implications.