Securely Embeddable code in Websites

Question

I am making a website which allows users to create ads, apps, etc. Think of it like Adsense for ads and Facebook apps for apps.

So, I am allowing the users to create ads or apps the way they want using either tools provided or through their own HTML code which will then be rendered as ads and apps in the website for other users to see.

My Problem:

1) When I allow users to add their own code which is to be embedded in the website, am I exposing my website to security risks? (I am not sure but I think they will be able to add some malicious code in javascript)

2) If I think of isolating the embedded code from rest of the website using Iframes, will that be a problem or is there any better way to do this?

What I want to achieve:

Some sort of element to render user generated custom HTML, CSS code in a website without affecting security.

Answer 1

Depending on the types of ads or apps they are allowed to make and what languages they can use you can be at risk in a few ways especially if other users can see it.

Let's assume they can use html and they add this code

<img src='fake.jpg' onerror='alert("xss");'>

In this scenario all of your users who can see this are exposed to an xss attack. If this is the case, see this post -> How can I allow my user to insert HTML code, without risks?

I would not recommend server side languages and while iframes may inherently be more secure, the same thing applies, especially if your domain hosts the iframe. If the iframe src is on the same domain as where the iframe is displayed you can toss out any security iframes may pretend to offer.

The best solution is to offer your own wysiwyg editor where your special codes are turned into html code. Allowing JS is going to be something you want to consider doing in a safe way, this could be done through creating your own wrapper (even wrapping a series of jquery functions in a wrapper) and including them in your wysiwyg cleverly.