'Sanitising' user-submitted Javascript - so it still works!

Question

Hi folks,

I plan on having an aspect of my site where the users can submit HTML, CSS, and JS, which is then generated 'live' into full working pages of HTML. Other users will be able to see this. These pages need to have working Javascript on them.

I understand that's a pretty major security flaw in itself, but it's very important this feature is on the site. I had these ideas:

• No external Javascript files can be linked to
• jQuery etc. can be included, but only from a trusted CDN (e.g. Google)
• Certain Javascript functions will be disabled and removed (e.g. eval())
• Users cannot submit live demo code until they have earnt a certain amount of 'reputation'
• User-submitted live demo code must be authorised by an administrator before it goes live
• No minified code may be used

And passive security measures:

• Disclaimer, so we're not held responsible! ;)
• 'Report' buttons in case a user finds something dodgy

So here's the question: What do you think of this, as a security plan? Will these measures combined be enough to stop attackers? Users will be submitting their code in three seperate inputs - CSS, HTML, and JS - so I will be able to filter and sanitise accordingly, then restructure it 'live' for others to preview.

Thanks!

Jack

Answer 1

Sounds like a plan, although I imagine its execution is going to be difficult.

• JavaScript is so flexible a language that it will probably be impossible to filter out all eval()-like constructs automatically.

• There are also many ways to fetch script files from external domains that are going to be hard to tell.

• There may be large amounts of code that need manual reviewing.

Focusing on the reputation aspect of the idea (accepting executable code only from trusted users), and running everything on a cookieless "sandbox" domain separate from the domain you log in to, is surely a good idea.

There's always going to be a risk remaining but I don't see how that risk is any bigger than on any other web site on the internet that provides JavaScript.

Answer 2

The project that powers the user supplied JavaScript of many social networks is Google Caja. This allows anyone to run javascript on your domain in a safe sandbox. To be honest there are more problems than the ones you listed, and caja takes care of it for you. If you want to give your users HTML, but not javascript then you should use HTML Purifier. But this should only be used as a last resort, in most cases you should use html entity encoding.