3

I'm curious to learn the best technique for allowing users to add javascript to pages in an app without opening a security can of worms.

For a long time I thought this was impossible, but I was kicking the tires on the hosted e-commerce product Tictail and their customization tool allows you to add any markup and javascript that you want. I'm very curious how they might be doing this without becoming vulnerable to exploits.

Below are some test scripts I added to a page, and the results. 

<script> alert(document.cookie) </script>

that works, and an alert is triggered - will the page run anything?

<script> document.body.style.display = 'none'; </script>

that does not work - the script tag loads in the page as-is, but an error is shown in the console: Uncaught TypeError: Cannot read property 'style' of null

Thanks for any ideas/insights.

Improve this question
5
  • 1
    I think you're looking for a JavaScript sandbox. Take a look at stackoverflow.com/questions/5044608/javascript-sandbox. Commented Jun 13, 2014 at 22:31
  • 1
    You might be looking for something like this: stackoverflow.com/questions/195149/… Commented Jun 13, 2014 at 22:31
  • For those of us not familiar with Tictail, what exactly does it allow you to edit? Is it a site they're hosting for you with your design? Some kind of template-based hosting service? Commented Jun 13, 2014 at 22:38
  • Here's the interface, where you can edit/add css and js to your page's template: i.imgur.com/ozeyCW6.png Commented Jun 13, 2014 at 23:01
  • Only you, as the storekeeper, can edit/modify your store template/theme. And yes, you can add any markup, styles and scripts that you see fit to make your store amazing. This is not a security concern. Commented Jan 22, 2015 at 10:54

1 Answer 1

Reset to default
0

What is insecure about letting the user add HTML or Scripts if they are only served back to the same person who created them?

I guarantee would bet this e-commerce product won't let you serve arbitrary html / script to other users.

Any user of your web page(s) can always add any script / html to the page on their side. XSS scripting is all about letting the user insert HTML/script which is then served back to other users. Just look at tools like Grease monkey or firebug.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

I may have described the process poorly, but when I add scripts to the page using the editing interface (in this case, my store page) those scripts are in fact served to anyone who accesses the page.
But you own the store page right? No one else can modify your store page and then serve users that code? End users have to trust the developers of the sites they use.
Admiral Adama: That's correct. The markup, styles and scripts will only be served to users visiting this specific store and will not effect other stores on the platform.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.