Reputation: 55
Are there any possible security issues if I let users upload their own html/css/js files?
I am making a store, where I want to allow the users to upload a custom html/js/css website to display with their product.
What security issues should I look for?
Upvotes: 0
Views: 398
Answers (1)
Reputation: 35106
The two biggest issues surrounding DHTML are:
- Script Injection
- Cross-site scripting
CSS files are safe
.html and .js files are NOT safe. You can make .html files safe by insisting on your own Content-Security-Policy: shutting down inline scripts and styles, and only allowing them to use libraries that you've vetted. .js files need to be personally inspected to ensure that they are safe.
My advice is that instead of letting them update the html and js files, it would be safer to provide a template that they could file out online, and whose content you could store in a database.
Upvotes: 2
Related Questions
- Security Issues for allowing users to add own JavaScript to your site?
- Is CSS (and derivates SASS, SCSS, ...) is it safe to allow user upload? Is there a security issue?
- Coldfusion: What are security issues that can occur if I allow users to upload .css and .js files to my site
- security issues with user-supplied CSS?
- Allowing user css
- Risks in allowing users to upload HTML/JS files
- User Uploaded CSS safe?
- Is there a security threat if I enable a user to add CSS?
- Is it ok to let user customise css and Javascript
- What are the risks of letting users upload and run Javascript