I'm developing a CMS and I host the users sites on my server (as Tumblr or Wordpress do). Since I let them write custom HTML & CSS code for their site pages I would like to know if there is any security problem letting them write javascript code too and what kind of problems it can cause..
Thank you!
This is something that can indeed lead to security issues, it can be done, but one should be very careful w.r.t. XSS, CSRF, cookie theft, etc. This is especially prevalent if your users have the same domain (e.g. example.com/user1 and example.com/user2) since a lot of security models trust the entire domain.
Thread carefully, when in doubt, don't implement this.
