1

I'm pretty sure this is a common requirement, I'm just a bit new to js and I'm not sure what to search for. Please point me to the right direction if this is a duplicate.

So we have customizable areas on our website wherein you can put in tags and css to modify the looks of that area. We are wary that people might put in malicious js code in there.

So we were thinking of a way to disable java script on those areas.

Is there a best practice for that? Or any right approach to do that?

froi
  • 7,268
  • 5
  • 40
  • 78
  • Provide a bit of code what are you trying to do – Nitin Kumar Sep 23 '16 at 07:23
  • Might want to ask this question on [Server Fault](http://serverfault.com/) – Tibrogargan Sep 23 '16 at 07:24
  • Possible duplicate of [Is It Possible to Sandbox JavaScript Running In the Browser?](http://stackoverflow.com/questions/195149/is-it-possible-to-sandbox-javascript-running-in-the-browser) – Jason C Sep 23 '16 at 07:24
  • 3
    To 'disable JavaScript within' usually means 'prevent JavaScript injection from user-entered sources'. Take SO as a trivial example - it is not possible to write a comment that includes custom JavaScript that will execute on someone else's browser. (Injecting malicious and/or unwanted JavaScript is also known as [XSS or Cross-site scripting](https://en.wikipedia.org/wiki/Cross-site_scripting) and there are numerous ways to mitigate it depending on specific context.) – user2864740 Sep 23 '16 at 07:24
  • Possible duplicate of [Disable certain tags and javascript inside an element?](http://stackoverflow.com/questions/6806581/disable-certain-tags-and-javascript-inside-an-element) – JJJ Sep 23 '16 at 07:25
  • In the sandboxing case, you can insert user defined JavaScript, but just keep it isolated. There's a few answers there that may accomplish what you want depending on your situation. – Jason C Sep 23 '16 at 07:27
  • 1
    For starters, if you have embedded *javascript*, it would have to be enclosed in ` – Joel Lee Sep 23 '16 at 07:27

1 Answers1

2

Yes, this is a common requirement. You need to sanitize the HTML and CSS that you receive from users to ensure it doesn't contain any JavaScript or anything that will surreptitiously load JavaScript. This is non-trivial, so there are tools for it: HTML sanitizers (and CSS sanitizers). These are proper, full-on HTML and CSS parsers that you give whitelists to to allow certain tags and attributes and to disallow other tags and attributes (and limit values of attributes).

The sanitizers need to run server-side, and ensure that the user-supplied content is sanitized before being displayed to any other user.1 So you'll need to find the right tool for your server-side environment, such as the HTML Agility Pack for .Net, OWASP Anti-Samy for Java, etc.

1 The natural instinct is to sanitize it on receipt, but just sanitizing on receipt isn't good enough, because if you find a flaw in your rules, you have to re-sanitize everything you've stored, or sanitize on both receipt and delivery.

T.J. Crowder
  • 1,031,962
  • 187
  • 1,923
  • 1,875