i making website allows users create ads, apps, etc. think of adsense ads , facebook apps apps.
so, allowing users create ads or apps way want using either tools provided or through own html code rendered ads , apps in website other users see.
my problem:
1) when allow users add own code embedded in website, exposing website security risks? (i not sure think able add malicious code in javascript)
2) if think of isolating embedded code rest of website using iframes, problem or there better way this?
what want achieve:
some sort of element render user generated custom html, css code in website without affecting security.
depending on types of ads or apps allowed make , languages can use can @ risk in few ways if other users can see it.
let's assume can use html , add code
<img src='fake.jpg' onerror='alert("xss");'> in scenario of users can see exposed xss attack. if case, see post -> how can allow user insert html code, without risks?
i not recommend server side languages , while iframes may inherently more secure, same thing applies, if domain hosts iframe. if iframe src on same domain iframe displayed can toss out security iframes may pretend offer.
the best solution offer own wysiwyg editor special codes turned html code. allowing js going want consider doing in safe way, done through creating own wrapper (even wrapping series of jquery functions in wrapper) , including them in wysiwyg cleverly.
Comments
Post a Comment