2

I am making a website which allows users to create ads, apps, etc. Think of it like Adsense for ads and Facebook apps for apps.

So, I am allowing the users to create ads or apps the way they want using either tools provided or through their own HTML code which will then be rendered as ads and apps in the website for other users to see.

My Problem:

1) When I allow users to add their own code which is to be embedded in the website, am I exposing my website to security risks? (I am not sure but I think they will be able to add some malicious code in javascript)

2) If I think of isolating the embedded code from rest of the website using Iframes, will that be a problem or is there any better way to do this?

What I want to achieve:

Some sort of element to render user generated custom HTML, CSS code in a website without affecting security.

Mike
  • 23,542
  • 14
  • 76
  • 87
Vignesh T.V.
  • 1,790
  • 3
  • 27
  • 48

1 Answers1

3

Depending on the types of ads or apps they are allowed to make and what languages they can use you can be at risk in a few ways especially if other users can see it.

Let's assume they can use html and they add this code

<img src='fake.jpg' onerror='alert("xss");'>

In this scenario all of your users who can see this are exposed to an xss attack. If this is the case, see this post -> How can I allow my user to insert HTML code, without risks?

I would not recommend server side languages and while iframes may inherently be more secure, the same thing applies, especially if your domain hosts the iframe. If the iframe src is on the same domain as where the iframe is displayed you can toss out any security iframes may pretend to offer.

The best solution is to offer your own wysiwyg editor where your special codes are turned into html code. Allowing JS is going to be something you want to consider doing in a safe way, this could be done through creating your own wrapper (even wrapping a series of jquery functions in a wrapper) and including them in your wysiwyg cleverly.

Community
  • 1
  • 1
Jesse
  • 2,790
  • 1
  • 20
  • 36
  • Thanx a lot for your answer. When I allow people to make APPS, many are going to use javascript in that. So, blocking Javascript cannot be the right way for my case. And as you said, if I give a wysiwyg editor for them to create content, they cant add any javascript code to it. So, is there no other way possible that I allow user the full flexibility to use any language and still isolate rest of website from it? And by the way, how does FB do it? Wont they be posed with security threats? – Vignesh T.V. Sep 26 '15 at 05:47
  • When making a post in stackoverflow you will see a neat option to add inline jsfiddle like boxes. You could make a wrapper that wraps up functions like a fade in or a fade out and cleverly include them like stackoverflow did in that scenario. What may be best is to let them use JS for the apps and have a reporting / voting system. You could automatically disallow some things in apps by manually or creating a script that auto checks code for certain things like iframes, but in the end, if they use JS, some level of verification needs to happen – Jesse Sep 26 '15 at 05:50
  • thank you for your reply. I do understand what you are trying to say. And I just went through Facebook's code and came to know that they are using Iframes for apps. But the problem you said (Iframes from same domain still worries me) I will wait for more answers and will accept yours if I dont find any better solutions. Thanks. – Vignesh T.V. Sep 26 '15 at 05:55
  • 2
    As you mentioned already **same domain**. The trick is that you host your user's app or ad on a different server or atleast a different domain which may eventually point to your sub domain. And then use iframe.. – Akshay Khandelwal Sep 26 '15 at 06:01
  • Akshay Khandelwal - subdomain was exactly going to be my next response. – Jesse Sep 26 '15 at 06:04
  • @AkshayKhandelwal: hmm.. seems to be a good option.. will do it. thanks. – Vignesh T.V. Sep 26 '15 at 07:12