I plan on having an aspect of my site where the users can submit HTML, CSS, and JS, which is then generated ‘live’ into full working pages of HTML. Other users will be able to see this. These pages need to have working Javascript on them.
I understand that’s a pretty major security flaw in itself, but it’s very important this feature is on the site. I had these ideas:
- No external Javascript files can be linked to
- jQuery etc. can be included, but only from a trusted CDN (e.g. Google)
- Certain Javascript functions will be disabled and removed (e.g.
eval()) - Users cannot submit live demo code until they have earnt a certain amount of ‘reputation’
- User-submitted live demo code must be authorised by an administrator before it goes live
- No minified code may be used
And passive security measures:
- Disclaimer, so we’re not held responsible! 😉
- ‘Report’ buttons in case a user finds something dodgy
So here’s the question: What do you think of this, as a security plan? Will these measures combined be enough to stop attackers? Users will be submitting their code in three seperate inputs – CSS, HTML, and JS – so I will be able to filter and sanitise accordingly, then restructure it ‘live’ for others to preview.
Thanks!
Jack
Sounds like a plan, although I imagine its execution is going to be difficult.
JavaScript is so flexible a language that it will probably be impossible to filter out all
eval()-like constructs automatically.There are also many ways to fetch script files from external domains that are going to be hard to tell.
There may be large amounts of code that need manual reviewing.
Focusing on the reputation aspect of the idea (accepting executable code only from trusted users), and running everything on a cookieless “sandbox” domain separate from the domain you log in to, is surely a good idea.
There’s always going to be a risk remaining but I don’t see how that risk is any bigger than on any other web site on the internet that provides JavaScript.