I want to make a site where users can upload their own canvas animations for others to see. What are the security risk implications associated with this? Is there an easy way to assure what I'm getting are only canvas functions and not malicious code snippets? Thoughts? Thank you.
EDIT: What if I put each animation in a separate subdomain? Is there a way to automate subdomain creation whenever a user uploads?
Javascript is a language that is VERY flexible and it's nearly impossible to make sure what an actual code is executing unless you run very deep analyzis on it. If you allow Javascript to be uploaded, you can get anything and most of the protection you will try to use will not work.
In your case what you could do is allow people to upload the animation sequence in some custom language that you transform in Javascript after it's uploaded. That way you can have some better control over what is executed.
In terms of specific risks, the obvious one is the easy ability to create a persistent XSS threat. This could easily do anything from reading a users cookie's (including those used to identify their authenticated session) to rewriting the page or modifying the CSS.
It also opens a very easy door to CSRF which would potentially allow the script to post arbitrary commands on behalf of the victim. Plus there's the risk of things like clickjacking and tabnapping - the possible exploits are very extensive!
There are ways to mitigate these threats, but the very fact that you're allowing people to upload arbitrary scripts is a massive risk.
