23

I've been working on a JS library and would like to setup a demo page on Github that allows, for example, users to define their own callbacks and execute commands.

I know "eval() is evil" and I can see how blind eval() of scripts could lead to XSS and other security issues. I'm trying to cook up some alternative schemes.

I really enjoy the interactivity of jsFiddle. I've taken a look at their source but was hoping someone could lay out here how jsFiddle allows and executes user-defined JavaScript without being dangerous. So long as it doesn't involve a 3rd party echo server, I'm hoping I can emulate the approach.

buley
  • 28,032
  • 17
  • 85
  • 106

1 Answers1

28

jsFiddle executes user scripts on a separate domain, http://fiddle.jshell.net (try it and see).
Therefore, it can't interact with the parent frame and it can't steal cookies.

You can actually do this without a separate server by placing a static page in a separate domain that reads from its querystring in Javascript.
You can communicate back using the page title (and so can the enemy).

SLaks
  • 868,454
  • 176
  • 1,908
  • 1,964
  • 1
    What does it mean to execute on a separate domain -- load an iFrame containing a page that executes the JavaScript? – buley Nov 04 '11 at 01:44
  • @editor: Exactly. The page in the ` – SLaks Nov 04 '11 at 01:46
  • 1
    @SLaks - Why does `alert(document.cookie);` works in jsFiddle? – Shlomi Hassid Apr 24 '15 at 22:33
  • 1
    a bit late. @ShlomiHassid the security concerns revolve around access to cookies, NOT access to your browser environment. hence, `alert('hello')` works and outputs "hello" in an alert box, but `alert(document.cookie)` only outputs an empty string (the alert box does still show up, but doesn't show any cookies unless the jshell.net domain has cookies on it) – Monarch Wadia Sep 02 '16 at 19:04