3

I'm curious to learn the best technique for allowing users to add javascript to pages in an app without opening a security can of worms.

For a long time I thought this was impossible, but I was kicking the tires on the hosted e-commerce product Tictail and their customization tool allows you to add any markup and javascript that you want. I'm very curious how they might be doing this without becoming vulnerable to exploits.

Below are some test scripts I added to a page, and the results. 

<script>
  alert(document.cookie)
</script>

that works, and an alert is triggered - will the page run anything?

<script>
    document.body.style.display = 'none';
</script>

that does not work - the script tag loads in the page as-is, but an error is shown in the console: Uncaught TypeError: Cannot read property 'style' of null

Thanks for any ideas/insights.

rda3000
  • 1,410
  • 1
  • 18
  • 31
  • 1
    I think you're looking for a JavaScript sandbox. Take a look at http://stackoverflow.com/questions/5044608/javascript-sandbox. – James Mason Jun 13 '14 at 22:31
  • 1
    You might be looking for something like this: http://stackoverflow.com/questions/195149/is-it-possible-to-sandbox-javascript-running-in-the-browser – Wolph Jun 13 '14 at 22:31
  • For those of us not familiar with Tictail, what exactly does it allow you to edit? Is it a site they're hosting for you with your design? Some kind of template-based hosting service? – Michael Hoffmann Jun 13 '14 at 22:38
  • Here's the interface, where you can edit/add css and js to your page's template: http://i.imgur.com/ozeyCW6.png – rda3000 Jun 13 '14 at 23:01
  • Only you, as the storekeeper, can edit/modify your store template/theme. And yes, you can add any markup, styles and scripts that you see fit to make your store amazing. This is not a security concern. – ptz0n Jan 22 '15 at 10:54

1 Answers1

0

What is insecure about letting the user add HTML or Scripts if they are only served back to the same person who created them?

I guarantee would bet this e-commerce product won't let you serve arbitrary html / script to other users.

Any user of your web page(s) can always add any script / html to the page on their side. XSS scripting is all about letting the user insert HTML/script which is then served back to other users. Just look at tools like Grease monkey or firebug.

TheNorthWes
  • 2,661
  • 19
  • 35
  • I may have described the process poorly, but when I add scripts to the page using the editing interface (in this case, my store page) those scripts are in fact served to anyone who accesses the page. – rda3000 Jun 13 '14 at 22:36
  • 1
    But you own the store page right? No one else can modify your store page and then serve users that code? End users have to trust the developers of the sites they use. – TheNorthWes Jun 13 '14 at 22:38
  • Admiral Adama: That's correct. The markup, styles and scripts will only be served to users visiting this specific store and will not effect other stores on the platform. – ptz0n Jan 22 '15 at 10:57