Skip to main content
Software Engineering

Return to Answer

added 29 characters in body
Source Link
Arseni Mourzenko
Arseni Mourzenko
  • 139.4k
  • 32
  • 359
  • 544

dynamically appending new code on the rendered page in a way that the changes would reflect on the other clients

And this makes it possible to do XSS, mislead the users into providing confidential data such as passwords, and do lots of other cool stuff.

You can't just let the users change the source code and run it, unverified, in other people's browsers. It's not safe if it's on server side. It's not safe if it's on client-side too.

You can provide a way to change content, and maybe a bit of presentation. For instance, StackExchange makes it possible for the users to change the content and presentation of specific parts of the pages: this makes it possible to have user-generated questions, answers and comments. But running customarbitrary JavaScript on an arbitraryany page of Programmers.SE? That won't happen.

StackOverflow has a snippet feature which makes it actually possible to run JavaScript. But:

  • Snippets don't run automatically: the user has actually to launch them.

  • It won't be easy to trick a community of programmers to launch a malicious snippet (with source code available for checking before launching), while keeping a positive question/answer score and no close votes/flags.

  • XSS is impossible.

  • Snippets run in HTML5 sandboxed iframes, which means they can't log you out from your StackOverflow account and trick you into providing your credentials to a hacker.

dynamically appending new code on the rendered page in a way that the changes would reflect on the other clients

And this makes it possible to do XSS, mislead the users into providing confidential data such as passwords, and lots of other cool stuff.

You can't just let the users change the source code and run it, unverified, in other people's browsers. It's not safe if it's on server side. It's not safe if it's on client-side.

You can provide a way to change content, and maybe a bit of presentation. For instance, StackExchange makes it possible for the users to change the content and presentation of specific parts of the pages: this makes it possible to have user-generated questions, answers and comments. But running custom JavaScript on an arbitrary page of Programmers.SE? That won't happen.

StackOverflow has a snippet feature which makes it possible to run JavaScript. But:

  • Snippets don't run automatically: the user has actually to launch them.

  • It won't be easy to trick a community of programmers to launch a malicious snippet (with source code available for checking before launching), while keeping a positive question/answer score and no close votes/flags.

  • Snippets run in HTML5 sandboxed iframes, which means they can't log you out from your StackOverflow account and trick you into providing your credentials to a hacker.

dynamically appending new code on the rendered page in a way that the changes would reflect on the other clients

And this makes it possible to do XSS, mislead the users into providing confidential data such as passwords, and do lots of other cool stuff.

You can't just let the users change the source code and run it, unverified, in other people's browsers. It's not safe if it's on server side. It's not safe if it's on client-side too.

You can provide a way to change content, and maybe a bit of presentation. For instance, StackExchange makes it possible for the users to change the content and presentation of specific parts of the pages: this makes it possible to have user-generated questions, answers and comments. But running arbitrary JavaScript on an any page of Programmers.SE? That won't happen.

StackOverflow has a snippet feature which makes it actually possible to run JavaScript. But:

  • Snippets don't run automatically: the user has to launch them.

  • It won't be easy to trick a community of programmers to launch a malicious snippet (with source code available for checking before launching), while keeping a positive question/answer score and no close votes/flags.

  • XSS is impossible.

  • Snippets run in HTML5 sandboxed iframes, which means they can't log you out from your StackOverflow account and trick you into providing your credentials to a hacker.

Source Link
Arseni Mourzenko
Arseni Mourzenko
  • 139.4k
  • 32
  • 359
  • 544

dynamically appending new code on the rendered page in a way that the changes would reflect on the other clients

And this makes it possible to do XSS, mislead the users into providing confidential data such as passwords, and lots of other cool stuff.

You can't just let the users change the source code and run it, unverified, in other people's browsers. It's not safe if it's on server side. It's not safe if it's on client-side.

You can provide a way to change content, and maybe a bit of presentation. For instance, StackExchange makes it possible for the users to change the content and presentation of specific parts of the pages: this makes it possible to have user-generated questions, answers and comments. But running custom JavaScript on an arbitrary page of Programmers.SE? That won't happen.

StackOverflow has a snippet feature which makes it possible to run JavaScript. But:

  • Snippets don't run automatically: the user has actually to launch them.

  • It won't be easy to trick a community of programmers to launch a malicious snippet (with source code available for checking before launching), while keeping a positive question/answer score and no close votes/flags.

  • Snippets run in HTML5 sandboxed iframes, which means they can't log you out from your StackOverflow account and trick you into providing your credentials to a hacker.