I’m building a webapp that contains an IFrame in design mode so my user’s can ‘tart’ their content up and paste in content to be displayed on their page. Like the WYSIWYG editor on most blog engines or forums.
I’m trying to think of all potential security holes I need to plug, one of which is a user pasting in Javascript:
<script type='text/javascript'> // Do some nasty stuff </script> Now I know I can strip this out at the server end, before saving it and/or serving it back, but I’m worried about the possibility of someone being able to paste some script in and run it there and then, without even sending it back to the server for processing.
Am I worrying over nothing?
Any advice would be great, couldn’t find much searching Google.
Anthony
Firefox has a plug-in called Greasemonkey that allows users to arbitrarily run JavaScript against any page that loads into their browser, and there is nothing you can do about it. Firebug allows you to modify web pages as well as run arbitrary JavaScript.
AFAIK, you really only need to worry once it gets to your server, and then potentially hits other users.