I've almost finished developing a script that exposes an API that can be used to uniformly perform storage operations on any of the web browser storage technologies.
The last bits of functionality that I'm working on are conditional retrieval and removal operations, which (of course) require a conditional expression to be supplied that will be evaluated (either using eval() or, in the case of webSQL, inserted directly after WHERE).
I'd need at least two full-blown parsers(one for webSQL, one for indexedDB) to verify the input as valid, but after a security assessment it seems as though parsing the input, or even sanitizing it, is unecessary.
I'm a bit unsure of the security implications of evaluating raw strings, so I'd appreciate some input on my security assessment:
User:
Evaluating input supplied either directly or indirectly by a user should be a non-issue due to the sanboxed nature of the storage technologies (he/she'd be manipulating data accessible only to him/her for a given origin), and the fact that nothing can be done with the API that can't be done by the user directly in the browser.
Third-parties:
Storage technologies obey the same-origin policy, and thus, cannot access the sandboxed storage areas belonging to other origins
I feel as though I've overlooked one or more possible security concerns in my assessment; is this the case? Or is the assessment (for the most part) correct?