1

I have implemented a requirement in my website where I can allow my end user to configure a link, to execute any javascript that he may require. Since, he can type in any javascript that he requires he also has the ability to open different web pages, create new pages via javascript, edit elements in the page via javascript and so on.

I have some security concerns over this functionality and would like to get some opinion from everyone. Is it possible that any malicious or unethical script could be added to the page that could bring about law and order problem or credibility issues? If so, is it possible to place in some code that would restrict the type of javascript that my user may add?

Improve this question
2
  • 1
    Who will see the link? Just the user who added the JS? Other members of the site? The general public? Commented Dec 3, 2011 at 9:21
  • @Quentin: Good point. I wrote my answer considering that JS will be publically visible (worst case). Commented Dec 3, 2011 at 9:24

1 Answer 1

Reset to default
2

There's a thing called ADsafe which was developed for banner ads that is a strict subset of Javascript which is meant to prevent malicious code. I don't think you'd be able to do things like

open different web pages, create new pages via javascript, edit elements in the page via javascript and so on

though. I think you should re-think your needs, and try to determine if you can come up with a way to offer the ability for a user to choose from pre-determined code that you write, perhaps customizing it within certain bounds.

Then again, if you're absolutely sure that the javascript is only going to run for the user who entered it, there shouldn't be anything they can do that will screw it up for anyone else. If a user was determined he or she could simply inject their javascript in through other means, like a rewriting proxy or extension or simply the javascript console.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

+1 for "re-think your needs". Handling arbitrary JS might be very complex.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.