I have a web app where I allow users to create a one-page portfolio using drag and drop, also I allow them to add custom HTML freely (basically any html or js code)
I'm aware that I shouldn't allow the custom HTML to be executed while they are in the EDIT mode, so I save it in the database but never render it into the editor page.
However, I need that custom HTML/JS to be rendered in their built portfolio page, to prevent security issues here is what I did:
- In addition to the private IP related to my app, I added another private IP
- I purchased another domain, let say for example my app domain is portfolio-app.com, I purchased another domain portfolio-show.com and pointed that domain to my app (using the second private IP), means: I have 2 domains pointing the same app but each domain has its own private IP.
- In my app I have a route in place that detects if the request is coming from portfolio-show.com host, if so, then it lookups the path and show the specific user portfolio,
The routing logic basically goes like this:
if request.host == 'portfolio-show.com'
get ':any-id', to: 'portfolioController#showAction'
end
The showAction is rendered only on portfolio-show.com but never under portfolio-app.com,
so if you are a user 1 your portfolio will be visited under portfolio-show.com/user-1-portfolio
My concern is: is showing the custom HTML/JS under a different domain enough to protect my app? am I safe if some user put malicious code on their portfolio page?