1

I have a textarea and I will have some users that will create react components inside the textarea, they will be able to save, edit them. I want to be able to execute that javascript without being attacked with xss.

This javascript will be use to create Graphs, and other graphical components for the user that creates them.

Improve this question
4
  • Look what stackoverflow does with their snipplets. Same thing Commented Jul 31, 2015 at 19:35
  • But those snippets are just text that is displayed; they are never actually used as code. In this example, non-malicious code should be allowed to run while malicious code should be blocked from running. Commented Jul 31, 2015 at 19:37
  • I would have to use HTML5 sandboxed iframes and we would render the snippets into another of our domains in short? Commented Jul 31, 2015 at 19:38
  • A subdomain should be sufficient afaik though, provided that cookie & origin policies are configured correctly (i.e. lock the subdomain out of everything). Commented Jul 31, 2015 at 19:40

2 Answers 2

Reset to default
1

  1. Any sort of "sanitisation" of arbitrary JavaScript is doomed to fail, but there's Caja project which defines a subset of JavaScript and DOM that can be analyzed statically, and can reject suspicious scripts (and unfortunately also benign scripts when it can't fully understand them).

  2. A better approach may be to simply to execute JavaScript as-is, but on a separate domain. This way your site will be protected by same-origin policy, the same way browsers protect all sites from each other.

You'll need a completely separate TLD if you use cookies (since a script on any subdomain can poison cookies on the entire domain). That's the approach Google takes with googleusercontent.com that's used to run arbitrary scripted pages for Google Translate, etc.

When you run JS on a separate domain, via an iframe, you'll need to use postMessage to communicate between your page and the untrusted script. Make sure you carefully validate the messages you receive, as you would any user input or an API call.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

When executing the JavaScript. I will have to send the whole React stuff with it right?
@MaximeRoussin-Bélanger Yes, you'll have to include (another copy of) React inside the iframe, since it's not possible to share JS objects across origins (apart from copying data as JSON).
1

This is going to be extremely challenging, even with a whitelist of functions. You could consider loading a new page that is not associated with the domain, so it wouldn't have a cookie for session data. It would be on a separate domain that is untrusted.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.