i'm working on cms application, users can build , manage own websites. there crud of html pages, in while creation/updation, sanitizing user's input , removing javascript code.
some user's need add widgets on pages, can source. how can allow them without compromising security of page ? basically, want allow <script> tag trusted sources , might have javascript content within them.
if don't want js on these pages, should not open pandora's box allowing 'under circumstances'.
a 'trusted' source hard enough define , potentially harder control. also, original source may include 3rd party scripts , near impossible test , monitor every single 1 of them.
at least, recommend embed widgets in iframes can't interfere main page.
as side note: you're aware of that, removing js code not easy task either may included in many different places, obfuscated, etc.
just quick (and safe) example:
<img src="foo" onerror="console.log(atob('ssboyxmgagfja2vkihrozsbjbnrlcm5ldhmhiq=='))">that said, doubt user intentionally corrupt own page. raises question: do need block js in first place?
you may have specific reasons not obvious in post, though.
all of based on own understanding of problem, don't hesitate provide more details if missed plot.
Comments
Post a Comment