2

I've seen a few other questions that are similar to this question I have, but don't have the answer I am looking for.

I building a website for coding courses (I know there are a lot of them out there already, but I am building it to include all the things I like about the ones already built), and I want to allow people to write code, and be able to share it with others (I know Khan Academy does this, but only for HTML/CSS/JS and [a modified version of] Processing.js, and I know that Replit.com does this for almost every language there is, but I want to have this on my website, if not too difficult).

There are two main problems that I am facing:

  1. I don't know how to make it run (except for JavaScript, HTML, and CSS, these will be pretty easy to get running since browsers run them).
  2. I don't know how to limit the use to make it safe to run (I know Khan Academy limits what things you can use in the code, but I don't know what kind of things that I would need to stop from being run).

If I can just do the Web Frontend Pillars, that will be fine, but I at least want to know what and how I can stop unsafe code to be run.

I just had a thought... I don't know a whole lot about it, but if the code (at least JavaScript and HTML/CSS/JavaScript) is run inside an <iframe> will this be safe? Or is it still just as unsafe?

Jacob Hornbeck
  • 398
  • 2
  • 19
  • Languages like python, c, etc, will more than likely be ran on a backend api and then sent back up to the user. I believe repl.it assigns small virtual vm instances for each project that handles everything surrounding saving code, compiling, and live running. Youd probably ban packages like os for python since it can execute potentially dangerous commands. Thats the only input I can provide towards your project. – Keegan Murphy May 30 '22 at 22:13
  • Thank you @KMM! I would like to start with HTML, CSS, and JavaScript, since those will be the first courses/tutorials I will have on my website. Do you have any tips to make those safe for me to run? If it is an ` – Jacob Hornbeck Jun 02 '22 at 01:59
  • Html and css are inherently safe languages that can be run, and iframes are only malicious in a few specific ways that can just be googled. Js not so much (why some browsers disable it). Read the following for more details on your sandbox question: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-sandbox. Running html and css are good ideas in iframes and can be seen here https://stackoverflow.com/questions/6102636/html-code-as-iframe-source-rather-than-a-url. Safety checks are always a good idea, since users could cheese some code through that your website can’t handle – Keegan Murphy Jun 02 '22 at 20:35
  • I believe repl uses small virtual vms in case someone wants to goof around they cant be too malicious. Running the code in someone’s local browser with injecting an iframe with a src also isn’t problematic since it’s front end only they’d be trolling themselves. If your saving code and allowing other users to view it that’s a different story since it involves backend and other users. Disclaimer: I am not a security expert, this is my opinion. For a commercial product consult a specialist and do plenty more research than this. – Keegan Murphy Jun 02 '22 at 20:39

0 Answers0