Can I prevent user pasting Javascript into Design Mode IFrame?

Question

Howdy,

I'm building a webapp that contains an IFrame in design mode so my user's can "tart" their content up and paste in content to be displayed on their page. Like the WYSIWYG editor on most blog engines or forums.

I'm trying to think of all potential security holes I need to plug, one of which is a user pasting in Javascript:

<script type="text/javascript">

// Do some nasty stuff

</script>

Now I know I can strip this out at the server end, before saving it and/or serving it back, but I'm worried about the possibility of someone being able to paste some script in and run it there and then, without even sending it back to the server for processing.

Am I worrying over nothing?

Any advice would be great, couldn't find much searching Google.

Anthony

Answer 1

As Jason said, I would focus more on cleaning the data on the server side. You don't really have any real control on the client side unless you're using Silverlight / Flex and even then you'd need to check the server.

That being said, Here are some tips from A List Apart you may find helpful regarding server side data cleaning.

http://www.alistapart.com/articles/secureyourcode

Answer 2

...I'm worried about the possibility of someone being able to paste some script in and run it there and then, without even sending it back to the server for processing.

Am I worrying over nothing?

Firefox has a plug-in called Greasemonkey that allows users to arbitrarily run JavaScript against any page that loads into their browser, and there is nothing you can do about it. Firebug allows you to modify web pages as well as run arbitrary JavaScript.

AFAIK, you really only need to worry once it gets to your server, and then potentially hits other users.