0

Recently I'm working on improving a previously built JS editor that displays the results on a iframe.

I have some thoughts and allot of question marks about what are the risks (any?) and which security steps I need to take or check before finishing the project.

I read allot about WYSIWYG and I couldn't find any useful detailed answers, Just code names. Of course I have read everything there is to read about XSS and all its types but once again the only major concern I could find that I consider a risk for JS online editors is cookies hijack and that's an easy threat to protect from and well known.

What are the concerns to the users?

What are the concerns to the server / website side?

How to avoid them and still give the user ability to use JS?

Shlomi Hassid
  • 6,500
  • 3
  • 27
  • 48
  • I would say: Take a look at how StackSnippets are implemented here on StackOverflow. – Sumurai8 Apr 24 '15 at 21:56
  • @Sumurai8 or jsFiddle - add `alert(document.cookie);` and it works... Here in stackoverflow they are blocking some they are reseting `parent, document... ` what is the list of JS variables to escape? what is the proper way? – Shlomi Hassid Apr 24 '15 at 22:05

0 Answers0