Reputation: 804
Enable user to enter javascript code
Note: I haven't been able to find question on the site, if it exists close this as duplicate.
For out application we have a browser based client using javascript. Our application follows client server architecture, but is deployed only on premise ie it is not exposed to web. I am thinking of providing limited scripting support to user (using javascript) somewhat similar to that providing in desktop based application (like matlab)
- Is it safe to allow user to script.
- What is the safe way to implement (eval, using iframe etc)
Upvotes: 0
Views: 517
Answers (1)
Reputation: 3007
From a security perspective: Running scripts on the page is not a problem, A user can already do that by pressing f12 and opening up the console.
The problem is if you allow users to save js into your db which is then loaded on the page by another user.
Imagine if you had a commenting system that allowed script tags, a potential prankster can now perform any of the functions the user can.
Or even anchor tags <a href="javascript:pageFunction()">click on me</a>
If it is just for the user, I would append the scripts to the body.
var scr = document.createElement("script");
scr.textContent = 'alert("hi")';
document.body.appendChild(scr);
Upvotes: 1
Related Questions
- How do I safely "eval" user code in a webpage?
- How to secure an app that allows users to insert JavaScript?
- Javascript security problem
- Allowing user submitted JS to be executed without comprimising security
- Allow user to type javascript code that is then executed in browser
- Security Issue - Allowing user to add his own JavaScript (only during runtime)
- Allowing users to input JavaScript in a page and sharing it with other users?
- Javascript: Best way to handle user-generated script
- Accepting Javascript generated form input
- How to allow users to write javascript with security?