We prevent access to classes and functions that could be used maliciously by whitelisting what can be used.
When playing s&box, any code that doesn't pass these checks will not be loaded. In the editor, the compiler will generate a SB1000 Whitelist Error: ``*'x' is not allowed when whitelist is enabled*
.
Editor code, including libraries, doesn't have to follow these restrictions. If you are developing a standalone game, you can opt out, but you won't be able to publish to the platform while the whitelist is disabled.
If there's an API you need access to that isn't in the whitelist and you believe it's harmless, please report it on our issue tracker with your reasoning, and we'll review it. Please include the symbol as it appears in the error.
As bugs in this system represent serious security issues, please report discoveries as described here.
Do not report them publicly.
For many standard .NET APIs that are blocked, we provide similar functionality via a safe sandboxed API of our own.
Here are some of the common ones to help new devs. Check out our full API reference here.
❌ Not allowed | ✅ Allowed |
---|---|
Console.Log |
Use Log.Info as a drop-in replacement. |
System.IO* |
Most standard .NET IO isn't allowed, but you can use our Filesystem API for storage of user data. |