Is it safe to save user created javascript in database?

Question

I'm working on a code playground type of application where a user(web developer/designer) can input HTML, CSS and Javascript and view the result on an iframe. The inputted code will be saved in the database (MySQL) and rendered back again in an iframe on a show_results view/action.

Now the question: Is it safe to save javascripts directly in the database? If not, then where/how should I save it?

Answer 1

Yes it is safe as an architectural decision iff you are executing the javascript on the client side.

On any website you can use tools such as chrome's "inspect element" to manipulate the html, javascript etc on the client. Your system cannot assume that items on the client are not manipulated. This is why server side validation is still so important.

I completely disagree with kzqai. If this was the case then fiddler would be in serious trouble.

There are potential problems that can be exposed more easily with what you are doing, but those problems already exist and are just obscure.

IFF you are executing javascript on the server side, this is a very complex decision. I would personally avoid it if possible because the game you are playing is that you are able to catch every possible scenario for trouble vs a bad guy being able to catch the 1 you did not.

Answer 2

The database is not going to be your problem here. It's fairly trivial to use prepared statements to allow all kinds of characters to be stored safely in the database. Using anything other than prepared statements to store user input is insufficient, and essentially never recommended.

But you're talking about allowing arbitrary javascript to be executed, which is always going to be a security problem. As a commenter above implies, you're going to be replicating the complexities of jsfiddle.net without the security experience, the development know-how, or the express wish to keep on patching the vulnerabilities that will keep on cropping up.

Certainly you should be aware that what you're doing will completely compromise any domain that you set it up on, so that essentially that javascript should be only written on a throw-away domain or subdomain that you don't use for any other purpose. Of course, it's going to be trivial in such an environment to simply framebreak and pull a viewer off of the site that hosts the frame as well.

I'm sure this just scratches the surface of the potential abuses that arbitrary javascript execution (aka intentional self cross-site-scripting) will bring with it.

Since you're essentially re-inventing a very dangerous wheel with this concept, why not simply use some of the embedding services that already exist out there? codepen.io for example, allows you to embed it's snippets.

Answer 3

It is safe as long as you correctly escape certain characters when inserting the value in the SQL statement. For example, if your Javascript code is:

var foo = 'hello world';

Then you will have to escape the single quotes when building the SQL statement:

INSERT INTO snippets (code) VALUES ('var foo = ''hello world'';')

In the statement above, two single quotes ('') are the way to represent just a single quote in a string enclosed by single quotes.

See the link below for further information on escaping characters: http://dev.mysql.com/doc/refman/5.0/en/string-literals.html

EDIT

As Stephen P correctly points out, if you use prepared statements on the server side code then the framework under the hood will replace those characters for you.