Allowing client scripting within an App

Hi everyone would appreciate people thoughts on this. We have built an app on the Ionic framework where part of the app is a form creator where users can can create customs forms to capture data and record in our database.

Part of the form feature is allowing formula calculations based on fields. Currently it allows for basic arithmetic expressions where the expressions goes through a parser.

Whilst we can work on building no-code style formulas expressions to do a range of operations but realistically there always going to be something that someone needs that can’t be cover (eg loops, complex if/else statements).

Therefore we are now exploring the implementation of users (pref admin users of the customer) to implement their own client side scripts. A typical script example would be:

user script saved as string

if (fnGetFieldValue('FIELD1') === fnGetFieldValue('FIELD2')) 
  {
    setFnFieldValue('FIELD3')= 'PASS'
  }
App script function

runScript() {
   function fnGetFieldValue(id) {
      // some code
     return value
   }
   setFnFieldValue(id) {
    // some code
   }
   let script: string = this.getUserScript();
   this.DomSanitizer.bypassSecurityTrustScript(script)

}

where the script would have access to a set of defined functions (eg fnGetFieldValue) to retrieve data rather than open slate to all the app’s api.

We understand companies such as squarespace, zoho, powerapps and many other low code solutions allows for custom client API scripting.

The concern we have is security vulnerabilities such as XSS. As our app is not on the open market (ie B2B only) the risk is lower but anycase we are considering of having an approval of the scripts created by users. But given there are many other companies having this feature without any approval process I would very much like to hear other peoples thoughts on this and whether there are strategies that can be implemented to allow of safe implementation of Client side scripts? For example are there a list of functions we could prevent from executing by removing from the script(sanitizer) eg document, eval, window etc?

Thanks in advance.