SkillAgentSearch skills...

V8js

V8 Javascript Engine for PHP — This PHP extension embeds the Google V8 Javascript Engine

GenerateConvertImprove

Install / Use

/learn @phpv8/V8js
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

V8Js

Test building extension GitHub license Join the chat at https://gitter.im/phpv8/v8js

V8Js is a PHP extension for Google's V8 Javascript engine.

The extension allows you to execute Javascript code in a secure sandbox from PHP. The executed code can be restricted using a time limit and/or memory limit. This provides the possibility to execute untrusted code with confidence.

Minimum requirements

  • V8 Javascript Engine library (libv8) master https://github.com/v8/v8-git-mirror (trunk)

    V8 is Google's open source Javascript engine. V8 is written in C++ and is used in Google Chrome, the open source browser from Google. V8 implements ECMAScript as specified in ECMA-262, 5th edition.

    This extension requires V8 9.0 or higher.

    V8 releases are published rather quickly and the V8 team usually provides security support for the version line shipped with the Chrome browser (stable channel) and newer (only). For a version overview see https://chromiumdash.appspot.com/branches.

  • PHP 8.0.0+

    This embedded implementation of the V8 engine uses thread locking so it works with ZTS enabled.

Windows is currently not officially supported. Mostly since I don't have the time to maintain support for it myself, and don't really have Windows boxes to try things with. It would be great if someone could step up and fix things on Windows, provide pre-build V8 binaries, etc.

There is a branch named php7 which targets PHP 7.0.0+

Pre-built binaries

For some very first steps, instead of compiling manually you might want to try out the V8Js docker image. It has v8, v8js and php-cli pre-installed so you can give it a try with PHP in "interactive mode". There is no Apache, etc. running however.

Compiling latest version

Building on Microsoft Windows is a bit more involved, see README.Win32.md file for a quick run through. Building on GNU/Linux and MacOS X is straight forward, see README.Linux.md and README.MacOS.md files for a walk through with platform specific notes.

PHP API

<?php
class V8Js
{
    /* Constants */

    const V8_VERSION = '';

    const FLAG_NONE = 1;
    const FLAG_FORCE_ARRAY = 2;
    const FLAG_PROPAGATE_PHP_EXCEPTIONS = 4;

    /* Methods */

    /**
     * Initializes and starts V8 engine and returns new V8Js object with it's own V8 context.
     * @param string $object_name
     * @param array $variables
     * @param string $snapshot_blob
     */
    public function __construct($object_name = "PHP", array $variables = [], $snapshot_blob = NULL)
    {}

    /**
     * Provide a function or method to be used to load required modules. This can be any valid PHP callable.
     * The loader function will receive the normalised module path and should return Javascript code to be executed.
     * @param callable $loader
     */
    public function setModuleLoader(callable $loader)
    {}

    /**
     * Provide a function or method to be used to normalise module paths. This can be any valid PHP callable.
     * This can be used in combination with setModuleLoader to influence normalisation of the module path (which
     * is normally done by V8Js itself but can be overriden this way).
     * The normaliser function will receive the base path of the current module (if any; otherwise an empty string)
     * and the literate string provided to the require method and should return an array of two strings (the new
     * module base path as well as the normalised name).  Both are joined by a '/' and then passed on to the
     * module loader (unless the module was cached before).
     * @param callable $normaliser
     */
    public function setModuleNormaliser(callable $normaliser)
    {}

    /**
     * Provate a function or method to be used to convert/proxy PHP exceptions to JS.
     * This can be any valid PHP callable.
     * The converter function will receive the PHP Exception instance that has not been caught and
     * is due to be forwarded to JS.  Pass NULL as $filter to uninstall an existing filter.
     */
    public function setExceptionFilter(callable $filter)
    {}

    /**
     * Compiles and executes script in object's context with optional identifier string.
     * A time limit (milliseconds) and/or memory limit (bytes) can be provided to restrict execution. These options will throw a V8JsTimeLimitException or V8JsMemoryLimitException.
     * @param string $script
     * @param string $identifier
     * @param int $flags
     * @param int $time_limit in milliseconds
     * @param int $memory_limit in bytes
     * @return mixed
     */
    public function executeString($script, $identifier = '', $flags = V8Js::FLAG_NONE, $time_limit = 0, $memory_limit = 0)
    {}

    /**
     * Compiles a script in object's context with optional identifier string.
     * @param $script
     * @param string $identifier
     * @return resource
     */
    public function compileString($script, $identifier = '')
    {}

    /**
     * Executes a precompiled script in object's context.
     * A time limit (milliseconds) and/or memory limit (bytes) can be provided to restrict execution. These options will throw a V8JsTimeLimitException or V8JsMemoryLimitException.
     * @param resource $script
     * @param int $flags
     * @param int $time_limit
     * @param int $memory_limit
     */
    public function executeScript($script, $flags = V8Js::FLAG_NONE, $time_limit = 0 , $memory_limit = 0)
    {}

    /**
     * Set the time limit (in milliseconds) for this V8Js object
     * works similar to the set_time_limit php
     * @param int $limit
     */
    public function setTimeLimit($limit)
    {}

    /**
     * Set the memory limit (in bytes) for this V8Js object
     * @param int $limit
     */
    public function setMemoryLimit($limit)
    {}

    /**
     * Set the average object size (in bytes) for this V8Js object.
     * V8's "amount of external memory" is adjusted by this value for every exported object.  V8 triggers a garbage collection once this totals to 192 MB.
     * @param int $average_object_size
     */
    public function setAverageObjectSize($average_object_size)
    {}

    /**
     * Returns uncaught pending exception or null if there is no pending exception.
     * @return V8JsScriptException|null
     */
    public function getPendingException()
    {}

    /**
     * Clears the uncaught pending exception
     */
    public function clearPendingException()
    {}

    /** Static methods **/

    /**
     * Creates a custom V8 heap snapshot with the provided JavaScript source embedded.
     * @param string $embed_source
     * @return string|false
     */
    public static function createSnapshot($embed_source)
    {}
}

final class V8JsScriptException extends Exception
{
    /**
     * @return string
     */
    final public function getJsFileName( ) {}

    /**
     * @return int
     */
    final public function getJsLineNumber( ) {}
    /**
     * @return int
     */
    final public function getJsStartColumn( ) {}
    /**
     * @return int
     */
    final public function getJsEndColumn( ) {}

    /**
     * @return string
     */
    final public function getJsSourceLine( ) {}
    /**
     * @return string
     */
    final public function getJsTrace( ) {}
}

final class V8JsTimeLimitException extends Exception
{
}

final class V8JsMemoryLimitException extends Exception
{
}

Javascript API

    // Print a string.
    print(string);

    // Dump the contents of a variable.
    var_dump(value);

    // Terminate Javascript execution immediately.
    exit();

    // CommonJS Module support to require external code.
    // This makes use of the PHP module loader provided via V8Js::setModuleLoader (see PHP API above).
    require("path/to/module");

The JavaScript in operator, when applied to a wrapped PHP object, works the same as the PHP isset() function. Similarly, when applied to a wrapped PHP object, JavaScript delete works like PHP unset.

<?php
class Foo {
  var $bar = null;
}
$v8 = new V8Js();
$v8->foo = new Foo;
// This prints "no"
$v8->executeString('print( "bar" in PHP.foo ? "yes" : "no" );');
?>

PHP has separate namespaces for properties and methods, while JavaScript has just one. Usually this isn't an issue, but if you need to you can use a leading $ to specify a property, or __call to specifically invoke a method.

<?php
class Foo {
	var $bar = "bar";
	function bar($what) { echo "I'm a ", $what, "!\n"; }
}

$foo = new Foo;
// This prints 'bar'
echo $foo->bar, "\n";
// This prints "I'm a function!"
$foo->bar("function");

$v8 = new V8Js();
$v8->foo = new Foo;
// This prints 'bar'
$v8->executeString('print(PHP.foo.$bar, "\n");');
// This prints "I'm a function!"
$v8->executeString('PHP.foo.__call("bar", ["function"]);');
?>

Mapping Rules

PHP and JavaScript data types don't match exactly. This is of course both languages have data types to handle numbers. Yet PHP differentiates between integers and floating point numbers contrary JavaScript only has a type Number, which is a IEEE 754 floating point number. In many cases this doesn't matter at all, when both languages can represent the same number well. However there are edge cases.

On 64-bit systems PHP allows integers to have 64 significant bits, JavaScripts number type (i.e. IEEE 754) however has 52 bit mantissa only. Hence some precission will be lost. This starts to matter

phpv8

View profile

View on GitHub
GitHub Stars1.9k
CategoryDevelopment
Updated24d ago
Forks204
phpv8/v8js

Languages

C++

Security Score

100/100

Audited on Mar 8, 2026

No findings