I want to allow user contributed Javascript in areas of my website.
- Is this completely insane?
- Are there any Javascript sanitizer scripts or good regex patterns out there to scan for alerts, iframes, remote script includes and other malicious Javascript?
- Should this process be manually authorized (by a human checking the Javascript)?
- Would it be more sensible to allow users to only use a framework (like jQuery) rather than giving them access to actual Javascript? This way it might be easier to monitor.
Thanks
Don’t think so, but near. Let’s see.
Yeah, at least there are Google Caja and ADSafe to sanitize the code, allowing it to be sandboxed. I don’t know up to what degree of trustworthiest they provide, though.
It may be possible that sandbox fails, so it would be a sensible solution, depending on the risk and the trade-off of being attacked by malicious (or faulty) code.
JQuery is just plain Javascript, so if you’re trying to protect from attacks, it won’t help at all.
If it is crucial to prevent these kind of attacks, you can implement a custom language, parse it in the backend and produce the controlled, safe javascript; or you may consider another strategy, like providing an API and accessing it from a third-party component of your app.