If you have say an HTML5 games arcade, that allows users to upload a script that runs a game with HTML5 and Javascript, assuming you have no filters on their input (apart from only allowing JS and HTML), what are the potential security risks and pitfalls?
One unlikely possibility is that if the games are popular, they could have a dormant ddos script inside them that can launch a ddos attack if the games are popular enough.
Stealing cookies is another, but if anyone has a comprehensive list, or any other ideas it would be interesting to hear them.
Allowing javascript to be uploaded an run opens up quite a lot of options for an attacker.
See Cross Site Scripting (wikipeda) and on OWASP.
In general – if you allow this, then an attacker can post any code, redirect users, exploit their browsers, install viruses and more.