Why Is It Dangerous To Render User-generated HTML Or Javascript?
I don't know if this is really dangerous, but, as Google does it with its HTML and Javascript served from Google Apps Script (as explained here, they use Caja Compiler to 'sanitize
Solution 1:
Allowing end users to edit HTML or JavaScript can lead to your site being vulnerable to XSS - https://www.owasp.org/index.php/Cross-site_Scripting_(XSS).
If users view the content other users have created, their scripts could be compromising cookie values or the user session by sending the values to the attacker's server.
Solution 2:
Bad things can happen with HTML; worse things can happen with most templating engines, including Jinja2. Like arbitrary code execution. That’s why there’s a sandbox.
Post a Comment for "Why Is It Dangerous To Render User-generated HTML Or Javascript?"