I’m hosting a small service where people can create online calendars. I’m playing with the idea of allowing users to save & embed their own javascript/html/css to their calendars.
I’m a bit worried about the security implications – are there ways to use XSS etc so that the users javascript code could affect some other calendars besides the one where the code is embedded?
From the customers perspective, the JS on the page should be allowed to change all the aspects of the page.
I guess the safest way would be to only allow custom HTML/CSS, but the ability to modify the layout and functionality of the calendar with JS would be a nice feature to have.
This can be very dangerous, for the same reason that
You’re basically giving the user an oportunity to run malicious scripts.
Example: You are using AJAX to update something on your server. I come along, open up my trusty Firebug, see the AJAX request, and decide to wreck a little havoc, because thats what I do. I just rewrite the AJAX call, change the id of my calender to some random one, and bam, thats my dirty deed for the day.