happy-dom 19.0.1 → 20.0.0

package/src/browser/DefaultBrowserSettings.ts

@@ -5,6 +5,7 @@ import IBrowserSettings from './types/IBrowserSettings.js';
 
 export default <IBrowserSettings>{
 	disableJavaScriptEvaluation: false,
+	enableJavaScriptEvaluation: false,
 	disableJavaScriptFileLoading: false,
 	disableCSSFileLoading: false,
 	disableIframePageLoading: false,
@@ -13,6 +14,7 @@ export default <IBrowserSettings>{
 	disableErrorCapturing: false,
 	errorCapture: BrowserErrorCaptureEnum.tryAndCatch,
 	enableFileSystemHttpRequests: false,
+	suppressCodeGenerationFromStringsWarning: false,
 	timer: {
 		maxTimeout: -1,
 		maxIntervalTime: -1,

package/src/browser/types/IBrowserSettings.ts

@@ -11,9 +11,23 @@ import BrowserWindow from '../../window/BrowserWindow.js';
  * Browser settings.
  */
 export default interface IBrowserSettings {
-	/** Disables JavaScript evaluation. */
+	/**
+	 * Disables JavaScript evaluation.
+	 *
+	 * @deprecated Javascript evaluation is now disabled by default. Use "enableJavaScriptEvaluation" if you want to enable it.
+	 */
 	disableJavaScriptEvaluation: boolean;
 
+	/**
+	 * Enables JavaScript evaluation.
+	 *
+	 * A VM Context is not an isolated environment, and if you run untrusted code you are at risk of RCE (Remote Code Execution) attacks.
+	 * It is recommended to disable code generation at process level by running node with the "--disallow-code-generation-from-strings" flag enabled to protect against these types of attacks.
+	 *
+	 * @see https://github.com/capricorn86/happy-dom/wiki/Code-Generation-From-Strings-Warning
+	 */
+	enableJavaScriptEvaluation: boolean;
+
 	/** Disables JavaScript file loading. */
 	disableJavaScriptFileLoading: boolean;
 
@@ -26,6 +40,9 @@ export default interface IBrowserSettings {
 	/** Handle disabled resource loading as success */
 	handleDisabledFileLoadingAsSuccess: boolean;
 
+	/** Suppresses the warning that is printed when code generation from strings is enabled at process level. */
+	suppressCodeGenerationFromStringsWarning: boolean;
+
 	/**
 	 * Settings for timers
 	 */

package/src/browser/types/IOptionalBrowserSettings.ts

@@ -8,9 +8,23 @@ import IOptionalTimerLoopsLimit from '../../window/IOptionalTimerLoopsLimit.js';
 import BrowserWindow from '../../window/BrowserWindow.js';
 
 export default interface IOptionalBrowserSettings {
-	/** Disables JavaScript evaluation. */
+	/**
+	 * Disables JavaScript evaluation.
+	 *
+	 * @deprecated Javascript evaluation is now disabled by default. Use "enableJavaScriptEvaluation" if you want to enable it.
+	 */
 	disableJavaScriptEvaluation?: boolean;
 
+	/**
+	 * Enables JavaScript evaluation.
+	 *
+	 * A VM Context is not an isolated environment, and if you run untrusted code you are at risk of RCE (Remote Code Execution) attacks.
+	 * It is recommended to disable code generation at process level by running node with the "--disallow-code-generation-from-strings" flag enabled to protect against these types of attacks.
+	 *
+	 * @see https://github.com/capricorn86/happy-dom/wiki/Code-Generation-From-Strings-Warning
+	 */
+	enableJavaScriptEvaluation?: boolean;
+
 	/** Disables JavaScript file loading. */
 	disableJavaScriptFileLoading?: boolean;
 
@@ -23,6 +37,9 @@ export default interface IOptionalBrowserSettings {
 	/** Handle disabled file loading as success */
 	handleDisabledFileLoadingAsSuccess?: boolean;
 
+	/** Suppresses the warning that is printed when code generation from strings is enabled at process level. */
+	suppressCodeGenerationFromStringsWarning?: boolean;
+
 	/** Settings for timers */
 	timer?: {
 		maxTimeout?: number;

package/src/browser/utilities/BrowserFrameNavigator.ts

@@ -89,12 +89,12 @@ export default class BrowserFrameNavigator {
 
 		// Javascript protocol
 		if (targetURL.protocol === 'javascript:') {
-			if (frame && !frame.page.context.browser.settings.disableJavaScriptEvaluation) {
+			if (frame && frame.page.context.browser.settings.enableJavaScriptEvaluation) {
 				const readyStateManager = frame.window[PropertySymbol.readyStateManager];
 				const asyncTaskManager = frame[PropertySymbol.asyncTaskManager];
 
 				const taskID = readyStateManager.startTask();
-				const code = `${targetURL.href.replace('javascript:', '')}\n//# sourceURL=${frame.url}`;
+				const code = targetURL.href.replace('javascript:', '');
 
 				// The browser will wait for the next tick before executing the script.
 				// Fixes issue where evaluating the response can throw an error.
@@ -110,7 +110,7 @@ export default class BrowserFrameNavigator {
 							clearImmediate(immediate);
 							resolve(null);
 						});
-						frame.window.eval(code);
+						frame.window[PropertySymbol.evaluateScript](code, { filename: frame.url });
 					});
 				});
 

package/src/html-parser/HTMLParser.ts

@@ -776,10 +776,11 @@ export default class HTMLParser {
 		// However, they are allowed to be executed when document.write() is used.
 		// See: https://developer.mozilla.org/en-US/docs/Web/API/HTMLScriptElement
 		if (upperTagName === 'SCRIPT') {
-			(<HTMLScriptElement>this.currentNode)[PropertySymbol.evaluateScript] = this.evaluateScripts;
+			(<HTMLScriptElement>this.currentNode)[PropertySymbol.disableEvaluation] =
+				!this.evaluateScripts;
 		} else if (upperTagName === 'LINK') {
 			// An assumption that the same rule should be applied for the HTMLLinkElement is made here.
-			(<HTMLLinkElement>this.currentNode)[PropertySymbol.evaluateCSS] = this.evaluateScripts;
+			(<HTMLLinkElement>this.currentNode)[PropertySymbol.disableEvaluation] = !this.evaluateScripts;
 		}
 
 		// Plain text elements such as <script> and <style> should only contain text.

package/src/module/ECMAScriptModuleCompiler.ts

@@ -401,10 +401,14 @@ export default class ECMAScriptModuleCompiler {
 		}
 
 		newCode += '})';
-		newCode += `\n//# sourceURL=${sourceURL || moduleURL}`;
 
 		try {
-			return { imports, execute: this.window.eval(newCode) };
+			return {
+				imports,
+				execute: this.window[PropertySymbol.evaluateScript](newCode, {
+					filename: sourceURL || moduleURL
+				})
+			};
 		} catch (e) {
 			const errorMessage = this.getError(moduleURL, code, sourceURL) || (<Error>e).message;
 			const error = new this.window.SyntaxError(

package/src/nodes/document/Document.ts

@@ -1472,7 +1472,7 @@ export default class Document extends Node {
 	): NodeList<IHTMLElementTagNameMap[K]>;
 
 	/**
-	 * Query CSS selector to find matching elments.
+	 * Query CSS selector to find matching elements.
 	 *
 	 * @param selector CSS selector.
 	 * @returns Matching elements.
@@ -1482,7 +1482,7 @@ export default class Document extends Node {
 	): NodeList<ISVGElementTagNameMap[K]>;
 
 	/**
-	 * Query CSS selector to find matching elments.
+	 * Query CSS selector to find matching elements.
 	 *
 	 * @param selector CSS selector.
 	 * @returns Matching elements.
@@ -1490,7 +1490,7 @@ export default class Document extends Node {
 	public querySelectorAll(selector: string): NodeList<Element>;
 
 	/**
-	 * Query CSS selector to find matching elments.
+	 * Query CSS selector to find matching elements.
 	 *
 	 * @param selector CSS selector.
 	 * @returns Matching elements.

package/src/nodes/element/ElementEventAttributeUtility.ts

@@ -32,7 +32,7 @@ export default class ElementEventAttributeUtility {
 
 		const browserSettings = new WindowBrowserContext(window).getSettings();
 
-		if (!browserSettings) {
+		if (!browserSettings || !browserSettings.enableJavaScriptEvaluation) {
 			return null;
 		}
 
@@ -63,13 +63,14 @@ export default class ElementEventAttributeUtility {
 		}
 
 		newCode += '})';
-		newCode += `\n//# sourceURL=${window.location.href}`;
 
 		let listener: ((event: Event) => void) | null = null;
 
 		try {
-			listener = window.eval(newCode).bind(element, {
-				dispatchError: window[PropertySymbol.dispatchError]
+			listener = window[PropertySymbol.evaluateScript](newCode, {
+				filename: window.location.href
+			}).bind(element, {
+				dispatchError: window[PropertySymbol.dispatchError].bind(window)
 			});
 		} catch (e) {
 			const error = new window.SyntaxError(

package/src/nodes/html-link-element/HTMLLinkElement.ts

@@ -24,7 +24,7 @@ import IResourceFetchResponse from '../../fetch/types/IResourceFetchResponse.js'
 export default class HTMLLinkElement extends HTMLElement {
 	// Internal properties
 	public [PropertySymbol.sheet]: CSSStyleSheet | null = null;
-	public [PropertySymbol.evaluateCSS] = true;
+	public [PropertySymbol.disableEvaluation] = false;
 	public [PropertySymbol.relList]: DOMTokenList | null = null;
 	#loadedStyleSheetURL: string | null = null;
 
@@ -305,7 +305,7 @@ export default class HTMLLinkElement extends HTMLElement {
 			!browserSettings ||
 			!this[PropertySymbol.isConnected] ||
 			browserSettings.disableJavaScriptFileLoading ||
-			browserSettings.disableJavaScriptEvaluation
+			!browserSettings.enableJavaScriptEvaluation
 		) {
 			return;
 		}
@@ -351,7 +351,7 @@ export default class HTMLLinkElement extends HTMLElement {
 
 		if (
 			as === 'script' &&
-			(browserSettings.disableJavaScriptFileLoading || browserSettings.disableJavaScriptEvaluation)
+			(browserSettings.disableJavaScriptFileLoading || !browserSettings.enableJavaScriptEvaluation)
 		) {
 			return;
 		}
@@ -422,7 +422,7 @@ export default class HTMLLinkElement extends HTMLElement {
 
 		const browserSettings = browserFrame.page.context.browser.settings;
 
-		if (!this[PropertySymbol.evaluateCSS] || !this[PropertySymbol.isConnected]) {
+		if (this[PropertySymbol.disableEvaluation] || !this[PropertySymbol.isConnected]) {
 			return;
 		}
 

package/src/nodes/html-media-element/TextTrackList.ts

@@ -9,6 +9,9 @@ import ClassMethodBinder from '../../utilities/ClassMethodBinder.js';
  * @see https://developer.mozilla.org/en-US/docs/Web/API/TextTrackList
  */
 export default class TextTrackList extends EventTarget {
+	// Index signature
+	[index: number]: TextTrack | undefined;
+
 	// Internal properties
 	public [PropertySymbol.items]: TextTrack[] = [];
 

package/src/nodes/html-script-element/HTMLScriptElement.ts

@@ -25,7 +25,7 @@ export default class HTMLScriptElement extends HTMLElement {
 	public declare cloneNode: (deep?: boolean) => HTMLScriptElement;
 
 	// Internal properties
-	public [PropertySymbol.evaluateScript] = true;
+	public [PropertySymbol.disableEvaluation] = false;
 	public [PropertySymbol.blocking]: DOMTokenList | null = null;
 
 	// Private properties
@@ -349,32 +349,34 @@ export default class HTMLScriptElement extends HTMLElement {
 
 		super[PropertySymbol.connectedToDocument]();
 
-		if (this[PropertySymbol.evaluateScript]) {
-			const src = this.getAttribute('src');
+		if (this[PropertySymbol.disableEvaluation]) {
+			return;
+		}
 
-			if (src !== null) {
-				if (this.getAttribute('type') === 'module') {
-					this.#loadModule(src);
-				} else {
-					this.#loadScript(src);
-				}
-			} else if (browserSettings && !browserSettings.disableJavaScriptEvaluation) {
-				const source = this.textContent;
-				const type = this.getAttribute('type');
-
-				if (source) {
-					if (type === 'module') {
-						this.#evaluateModule(source);
-					} else if (type === 'importmap') {
-						this.#evaluateImportMap(source);
-					} else if (
-						type === null ||
-						type === 'application/x-ecmascript' ||
-						type === 'application/x-javascript' ||
-						type.startsWith('text/javascript')
-					) {
-						this.#evaluateScript(source);
-					}
+		const src = this.getAttribute('src');
+
+		if (src !== null) {
+			if (this.getAttribute('type') === 'module') {
+				this.#loadModule(src);
+			} else {
+				this.#loadScript(src);
+			}
+		} else if (browserSettings && browserSettings.enableJavaScriptEvaluation) {
+			const source = this.textContent;
+			const type = this.getAttribute('type');
+
+			if (source) {
+				if (type === 'module') {
+					this.#evaluateModule(source);
+				} else if (type === 'importmap') {
+					this.#evaluateImportMap(source);
+				} else if (
+					type === null ||
+					type === 'application/x-ecmascript' ||
+					type === 'application/x-javascript' ||
+					type.startsWith('text/javascript')
+				) {
+					this.#evaluateScript(source);
 				}
 			}
 		}
@@ -413,7 +415,7 @@ export default class HTMLScriptElement extends HTMLElement {
 		const browserSettings = new WindowBrowserContext(window).getSettings();
 		const browserFrame = new WindowBrowserContext(window).getBrowserFrame();
 
-		if (!browserFrame || !browserSettings) {
+		if (!browserFrame || !browserSettings || !browserSettings.enableJavaScriptEvaluation) {
 			return;
 		}
 
@@ -446,7 +448,12 @@ export default class HTMLScriptElement extends HTMLElement {
 		const browserSettings = new WindowBrowserContext(window).getSettings();
 		const browserFrame = new WindowBrowserContext(window).getBrowserFrame();
 
-		if (!browserFrame || !browserSettings || window[PropertySymbol.moduleImportMap]) {
+		if (
+			!browserFrame ||
+			!browserSettings ||
+			window[PropertySymbol.moduleImportMap] ||
+			!browserSettings.enableJavaScriptEvaluation
+		) {
 			return;
 		}
 
@@ -510,9 +517,9 @@ export default class HTMLScriptElement extends HTMLElement {
 	/**
 	 * Evaluates a script.
 	 *
-	 * @param source Source.
+	 * @param code Code.
 	 */
-	#evaluateScript(source: string): void {
+	#evaluateScript(code: string): void {
 		const window = this[PropertySymbol.window];
 		const browserSettings = new WindowBrowserContext(window).getSettings();
 
@@ -522,16 +529,18 @@ export default class HTMLScriptElement extends HTMLElement {
 
 		this[PropertySymbol.ownerDocument][PropertySymbol.currentScript] = this;
 
-		const code = `${source}\n//# sourceURL=${this[PropertySymbol.ownerDocument].location.href}`;
-
 		if (
 			browserSettings.disableErrorCapturing ||
 			browserSettings.errorCapture !== BrowserErrorCaptureEnum.tryAndCatch
 		) {
-			window.eval(code);
+			window[PropertySymbol.evaluateScript](code, {
+				filename: this[PropertySymbol.ownerDocument].location.href
+			});
 		} else {
 			try {
-				window.eval(code);
+				window[PropertySymbol.evaluateScript](code, {
+					filename: this[PropertySymbol.ownerDocument].location.href
+				});
 			} catch (error) {
 				window[PropertySymbol.dispatchError](<Error>error);
 			}
@@ -560,7 +569,7 @@ export default class HTMLScriptElement extends HTMLElement {
 
 		if (
 			browserSettings &&
-			(browserSettings.disableJavaScriptFileLoading || browserSettings.disableJavaScriptEvaluation)
+			(browserSettings.disableJavaScriptFileLoading || !browserSettings.enableJavaScriptEvaluation)
 		) {
 			if (browserSettings.handleDisabledFileLoadingAsSuccess) {
 				this.dispatchEvent(new Event('load'));
@@ -639,7 +648,7 @@ export default class HTMLScriptElement extends HTMLElement {
 
 		if (
 			browserSettings &&
-			(browserSettings.disableJavaScriptFileLoading || browserSettings.disableJavaScriptEvaluation)
+			(browserSettings.disableJavaScriptFileLoading || !browserSettings.enableJavaScriptEvaluation)
 		) {
 			if (browserSettings.handleDisabledFileLoadingAsSuccess) {
 				this.dispatchEvent(new Event('load'));
@@ -693,18 +702,18 @@ export default class HTMLScriptElement extends HTMLElement {
 
 		this[PropertySymbol.ownerDocument][PropertySymbol.currentScript] = this;
 
-		const code = `${response.content}\n//# sourceURL=${
-			response.virtualServerFile || absoluteURLString
-		}`;
-
 		if (
 			browserSettings.disableErrorCapturing ||
 			browserSettings.errorCapture !== BrowserErrorCaptureEnum.tryAndCatch
 		) {
-			this[PropertySymbol.window].eval(code);
+			this[PropertySymbol.window][PropertySymbol.evaluateScript](response.content, {
+				filename: response.virtualServerFile || absoluteURLString
+			});
 		} else {
 			try {
-				this[PropertySymbol.window].eval(code);
+				this[PropertySymbol.window][PropertySymbol.evaluateScript](response.content, {
+					filename: response.virtualServerFile || absoluteURLString
+				});
 			} catch (error) {
 				this[PropertySymbol.ownerDocument][PropertySymbol.currentScript] = null;
 				window[PropertySymbol.dispatchError](<Error>error);

package/src/nodes/html-select-element/HTMLSelectElement.ts

@@ -25,6 +25,9 @@ import BrowserWindow from '../../window/BrowserWindow.js';
  * https://developer.mozilla.org/en-US/docs/Web/API/HTMLSelectElement.
  */
 export default class HTMLSelectElement extends HTMLElement {
+	// Index signature
+	[index: number]: HTMLOptionElement | undefined;
+
 	// Injected by WindowContextClassExtender
 	protected declare [PropertySymbol.window]: BrowserWindow;
 

package/src/query-selector/QuerySelector.ts

@@ -115,7 +115,11 @@ export default class QuerySelector {
 			}
 		}
 
-		const groups = SelectorParser.getSelectorGroups(selector, { scope: node });
+		const scope =
+			node[PropertySymbol.nodeType] === NodeTypeEnum.documentNode
+				? (<Document>node).documentElement
+				: node;
+		const groups = SelectorParser.getSelectorGroups(selector, { scope });
 		const items: Element[] = [];
 		const nodeList = new NodeList<Element>(PropertySymbol.illegalConstructor, items);
 		const matchesMap: Map<string, Element> = new Map();
@@ -251,7 +255,11 @@ export default class QuerySelector {
 
 		const matchesMap: Map<string, Element> = new Map();
 		const matchedPositions: string[] = [];
-		for (const items of SelectorParser.getSelectorGroups(selector, { scope: node })) {
+		const scope =
+			node[PropertySymbol.nodeType] === NodeTypeEnum.documentNode
+				? (<Document>node).documentElement
+				: node;
+		for (const items of SelectorParser.getSelectorGroups(selector, { scope })) {
 			const match =
 				node[PropertySymbol.nodeType] === NodeTypeEnum.elementNode
 					? this.findFirst(<Element>node, [<Element>node], items, cachedItem)
@@ -350,9 +358,14 @@ export default class QuerySelector {
 			);
 		}
 
+		const scopeOrElement = options?.scope || element;
+		const scope =
+			scopeOrElement[PropertySymbol.nodeType] === NodeTypeEnum.documentNode
+				? (<Document>scopeOrElement).documentElement
+				: scopeOrElement;
 		for (const items of SelectorParser.getSelectorGroups(selector, {
 			...options,
-			scope: options?.scope || element
+			scope
 		})) {
 			const result = this.matchSelector(element, items.reverse(), cachedItem);
 

package/src/query-selector/SelectorItem.ts

@@ -5,7 +5,6 @@ import SelectorCombinatorEnum from './SelectorCombinatorEnum.js';
 import ISelectorAttribute from './ISelectorAttribute.js';
 import ISelectorMatch from './ISelectorMatch.js';
 import ISelectorPseudo from './ISelectorPseudo.js';
-import Document from '../nodes/document/Document.js';
 import DocumentFragment from '../nodes/document-fragment/DocumentFragment.js';
 
 const SPACE_REGEXP = /\s+/;
@@ -14,7 +13,8 @@ const SPACE_REGEXP = /\s+/;
  * Selector item.
  */
 export default class SelectorItem {
-	public scope: Element | Document | DocumentFragment | null;
+	public root: Element | DocumentFragment | null;
+	public scope: Element | DocumentFragment | null;
 	public tagName: string | null;
 	public id: string | null;
 	public classNames: string[] | null;
@@ -39,7 +39,7 @@ export default class SelectorItem {
 	 * @param [options.ignoreErrors] Ignore errors.
 	 */
 	constructor(options?: {
-		scope?: Element | Document | DocumentFragment;
+		scope?: Element | DocumentFragment;
 		tagName?: string;
 		id?: string;
 		classNames?: string[];
@@ -49,6 +49,7 @@ export default class SelectorItem {
 		combinator?: SelectorCombinatorEnum;
 		ignoreErrors?: boolean;
 	}) {
+		this.root = options?.scope ? options.scope[PropertySymbol.ownerDocument].documentElement : null;
 		this.scope = options?.scope || null;
 		this.tagName = options?.tagName || null;
 		this.id = options?.id || null;
@@ -251,7 +252,7 @@ export default class SelectorItem {
 					? { priorityWeight: 10 }
 					: null;
 			case 'root':
-				return element[PropertySymbol.tagName] === 'HTML' ? { priorityWeight: 10 } : null;
+				return this.root && element === this.root ? { priorityWeight: 10 } : null;
 			case 'not':
 				for (const selectorItem of pseudo.selectorItems!) {
 					if (selectorItem.match(element)) {
@@ -385,7 +386,7 @@ export default class SelectorItem {
 					? { priorityWeight: 10 }
 					: null;
 			case 'scope':
-				return this.scope === element ? { priorityWeight: 10 } : null;
+				return this.scope && this.scope === element ? { priorityWeight: 10 } : null;
 			default:
 				return null;
 		}

package/src/query-selector/SelectorParser.ts

@@ -3,7 +3,6 @@ import SelectorCombinatorEnum from './SelectorCombinatorEnum.js';
 import DOMException from '../exception/DOMException.js';
 import ISelectorPseudo from './ISelectorPseudo.js';
 import Element from '../nodes/element/Element.js';
-import Document from '../nodes/document/Document.js';
 import DocumentFragment from '../nodes/document-fragment/DocumentFragment.js';
 
 /**
@@ -72,13 +71,16 @@ export default class SelectorParser {
 	 *
 	 * @param selector Selector.
 	 * @param options Options.
-	 * @param options.scope Scope.
+	 * @param [options.scope] Scope.
 	 * @param [options.ignoreErrors] Ignores errors.
 	 * @returns Selector item.
 	 */
 	public static getSelectorItem(
 		selector: string,
-		options?: { scope?: Element | Document | DocumentFragment; ignoreErrors?: boolean }
+		options?: {
+			scope?: Element | DocumentFragment;
+			ignoreErrors?: boolean;
+		}
 	): SelectorItem {
 		return this.getSelectorGroups(selector, options)[0][0];
 	}
@@ -88,13 +90,16 @@ export default class SelectorParser {
 	 *
 	 * @param selector Selector.
 	 * @param options Options.
-	 * @param options.scope Scope.
+	 * @param [options.scope] Scope.
 	 * @param [options.ignoreErrors] Ignores errors.
 	 * @returns Selector groups.
 	 */
 	public static getSelectorGroups(
 		selector: string,
-		options?: { scope?: Element | Document | DocumentFragment; ignoreErrors?: boolean }
+		options?: {
+			scope?: Element | DocumentFragment;
+			ignoreErrors?: boolean;
+		}
 	): Array<Array<SelectorItem>> {
 		selector = selector.trim();
 		const ignoreErrors = options?.ignoreErrors;
@@ -296,15 +301,18 @@ export default class SelectorParser {
 	 *
 	 * @param name Pseudo name.
 	 * @param args Pseudo arguments.
-	 * @param options Options.
-	 * @param options.scope Scope.
+	 * @param [options] Options.
+	 * @param [options.scope] Scope.
 	 * @param [options.ignoreErrors] Ignores errors.
 	 * @returns Pseudo.
 	 */
 	private static getPseudo(
 		name: string,
 		args: string | null | undefined,
-		options?: { scope?: Element | Document | DocumentFragment; ignoreErrors?: boolean }
+		options?: {
+			scope?: Element | DocumentFragment;
+			ignoreErrors?: boolean;
+		}
 	): ISelectorPseudo {
 		const lowerName = name.toLowerCase();
 

package/src/window/BrowserWindow.ts

@@ -331,6 +331,16 @@ const TIMER = {
 
 const IS_NODE_JS_TIMEOUT_ENVIRONMENT = setTimeout.toString().includes('new Timeout');
 
+const IS_PROCESS_LEVEL_CODE_GENERATION_FROM_STRINGS_ALLOWED = (() => {
+	try {
+		// eslint-disable-next-line no-new-func
+		new Function('return true;')();
+		return true;
+	} catch {
+		return false;
+	}
+})();
+
 /**
  * Class for PerformanceObserverEntryList as it is only available as an interface from Node.js.
  */
@@ -779,6 +789,7 @@ export default class BrowserWindow extends EventTarget implements INodeJSGlobal
 	public declare encodeURI: typeof encodeURI;
 	public declare encodeURIComponent: typeof encodeURIComponent;
 	public declare eval: typeof eval;
+
 	/**
 	 * @deprecated
 	 */
@@ -847,6 +858,21 @@ export default class BrowserWindow extends EventTarget implements INodeJSGlobal
 	constructor(browserFrame: IBrowserFrame, options?: { url?: string }) {
 		super();
 
+		if (
+			IS_PROCESS_LEVEL_CODE_GENERATION_FROM_STRINGS_ALLOWED &&
+			browserFrame.page.context.browser.settings.enableJavaScriptEvaluation &&
+			!browserFrame.page.context.browser.settings.suppressCodeGenerationFromStringsWarning
+		) {
+			// eslint-disable-next-line no-console
+			console.warn(
+				'\nWarning! Happy DOM has JavaScript evaluation enabled and is running in an environment with code generation from strings (eval) enabled at process level.' +
+					'\n\nA VM Context is not an isolated environment, and if you run untrusted code you are at risk of RCE (Remote Code Execution) attacks. The attacker can use code generation to escape the VM and run code at process level.' +
+					'\n\nIt is recommended to disable code generation at process level by running node with the "--disallow-code-generation-from-strings" flag enabled when Javascript evaluation is enabled in Happy DOM.' +
+					' You can suppress this warning by setting "suppressCodeGenerationFromStringsWarning" to "true" at your own risk.' +
+					'\n\nFor more information, see https://github.com/capricorn86/happy-dom/wiki/Code-Generation-From-Strings-Warning\n\n'
+			);
+		}
+
 		this.#browserFrame = browserFrame;
 
 		this.console = browserFrame.page.console;
@@ -1806,6 +1832,18 @@ export default class BrowserWindow extends EventTarget implements INodeJSGlobal
 		this.dispatchEvent(new ErrorEvent('error', { message: error.message, error }));
 	}
 
+	/**
+	 * Evaluates code in a VM context.
+	 *
+	 * @param code Code.
+	 * @param [options] Options.
+	 * @param [options.filename] Filename.
+	 * @returns any.
+	 */
+	public [PropertySymbol.evaluateScript](code: string, options?: { filename?: string }): any {
+		return new VM.Script(code, options).runInContext(this);
+	}
+
 	/**
 	 * Setup of VM context.
 	 */