disable java access to avoid execution of arbitrary (java) code

src/main/java/com/gargoylesoftware/htmlunit/javascript/HtmlUnitContextFactory.java

@@ -32,6 +32,7 @@
 import com.gargoylesoftware.htmlunit.javascript.regexp.HtmlUnitRegExpProxy;
 
 import net.sourceforge.htmlunit.corejs.javascript.Callable;
+import net.sourceforge.htmlunit.corejs.javascript.ClassShutter;
 import net.sourceforge.htmlunit.corejs.javascript.Context;
 import net.sourceforge.htmlunit.corejs.javascript.ContextAction;
 import net.sourceforge.htmlunit.corejs.javascript.ContextFactory;
@@ -274,6 +275,14 @@ protected Context makeContext() {
         final TimeoutContext cx = new TimeoutContext(this);
         cx.setLanguageVersion(Context.VERSION_ES6);
 
+        // make sure no java classes are usable from js
+        cx.setClassShutter(new ClassShutter() {
+            @Override
+            public boolean visibleToScripts(final String fullClassName) {
+                return false;
+            }
+        });
+
         // Use pure interpreter mode to get observeInstructionCount() callbacks.
         cx.setOptimizationLevel(-1);
 

src/main/java/com/gargoylesoftware/htmlunit/javascript/JavaScriptEngine.java

@@ -216,8 +216,7 @@ private void init(final WebWindow webWindow, final Context context) throws Excep
         }
 
         // remove some objects, that Rhino defines in top scope but that we don't want
-        deleteProperties(window, "java", "javax", "org", "com", "edu", "net",
-                "JavaAdapter", "JavaImporter", "Continuation", "Packages", "getClass");
+        deleteProperties(window, "Continuation");
         if (!browserVersion.hasFeature(JS_XML)) {
             deleteProperties(window, "XML", "XMLList", "Namespace", "QName");
         }