2

I want to render user uploaded HTML (consisting of possibly many files with images, custom css, custom js, all uploaded in a zip file) for preview purpose. The user that submits the html will be the only one to access it.

I want the user's HTML to be isolated from the rest of my website (no access to javascript, no css inheritance, no access to the server's other files).

I read some information about iframe in another question, and I am considering the use of sandboxed iframe.

I wonder if it's secured enough, or if there are better options.

Community
  • 1
luxcem
  • 125
  • 4
  • How is this different than basic [XSS](https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet) prevention? I'm not sure why @eric-g didn't mark this as a dupe. – Indolering Sep 07 '13 at 05:33
  • My understanding of what the OP was asking is that the user will be able to upload and run their own JS. So the user's JS will then be on his server, but it should not have access to the web master's JS. This is about the web master protecting his server, not about protecting the end user. This is not an issue of input and output sanitization. My initial edit was just for the wording to help clarify this. However, @Arnaud if this is not what you are asking, please try to edit your question with more details. – Eric G Sep 07 '13 at 05:47
  • 1
    iframes are the traditional solution to sandboxing. There is also [google-caja](https://code.google.com/p/google-caja/) which claims to securely embed untrusted html/css/js, but I don't know how secure it is. – CodesInChaos Sep 08 '13 at 12:48
  • @EricG this is exactly what I'm looking for. I like to do something like jsFiddle but mostly for html/css and a little bit of js. – luxcem Sep 09 '13 at 07:50

1 Answers1

2

If you don't trust sandboxed iframes, you could also use separate hostname for each package. E.g configure virtual host with *.previews.specialdomain.tld, and show each preview on different autogenerated hostname. You can then offer link to preview with 

<a target="_blank" ...

That way, users will see the preview as a full page instead of iframe, and they get back to your original view after closing that (or by switching to previous tab/window).

Even though Google is convincing author for Caja framework, it seems unlikely they really can prevent all security vulnerabilities and not to break the JS code in some cases.

Olli
  • 131
  • 5