Skip to content

Limiting Syntax

jshiki lets you limit what syntax is allowed in expressions by letting you:

  • Disallow certain operators
  • Disallow certain literals and expressions

Disallowing operators

jshiki lets you block specific unary operators, binary operators, logical operators, and the ternary/conditional operator.

For each type of operator aside from the ternay operator, you can either use an allow list, which will only allow the operators you specify, or a block list, which will block all operators you specify.

Here's an example in which we block the use of the binary + operator (not to be confused with the unary + operator, e.g. +1):

// throws Error: Binary operator + is not allowed
jshiki.parse('1 + 2', {
  operators: {
    // blocks the binary + operator
    binary: { block: ['+'] },
  }
})

If instead we were to opt for an allow list, we could specify only the operators we want to allow. Here's an example in which we allow only the logical operators && and ||:

const options = {
  operators: {
    // allows only the logical operators && and ||
    logical: { allow: ['&&', '||'] },
  }
}

jshiki.evaluate('1 && 2 || 3', options) // returns 2

// throws Error: Logical operator ?? is not allowed
jshiki.evaluate('null ?? 1', options)

The conditional operator takes a boolean instead since it is the only ternary operator in Javascript — true allows it, false blocks it.

// throws Error: Conditional/ternary operator is not allowed
jshiki.parse('1 ? 2 : 3', {
  operators: {
    // blocks the ternary/conditional operator
    ternary: false,
  }
})

In full, the operators options object is as follows:

  • operators.unary — Unary operators (e.g. !true, -1)
  • operators.binary — Binary operators (e.g. 1 + 2, 1 !== 2)
  • operators.logical — Logical operators (e.g. true && false, null ?? 1)
  • operators.ternary — Ternary/conditional operator (e.g. a === b ? 2 : 3)

All supported operators, except for typeof, in, and instanceof, are allowed by default. For an exhaustive list, see the API docs.

Disallowing syntax

You can also block specific syntax by setting the corresponding syntax option to false. For example, you might want to disallow the use of function calls:

// throws Error: Function calls are not allowed
jshiki.parse('foo()', {
  syntax: {
    // blocks the use of function calls
    calls: false,
  }
})

In full, the syntax options object is as follows:

  • syntax.memberAccess — Member access (e.g. foo.bar, foo['bar'])
  • syntax.calls — Function calls (e.g. foo())
  • syntax.taggedTemplates — Tagged template literals (e.g. tag`foo ${bar}`)
  • syntax.templates — Template literals (e.g. `foo ${bar}`)
  • syntax.objects — Object literals (e.g. { foo: 1 })
  • syntax.arrays — Array literals (e.g. [1, 2, 3])
  • syntax.regexes — Regular expressions (e.g. /foo/g)

Next, we'll examine another way jshiki lets you limit what expressions can do — rules.