Date: 06/28/07 (Javascript Community)    Keywords: css, java, security

Hi, I'm working with a team creating kind a site where anyone can pretty much create their own youtube/myspace/social network. Right now, we let users enter in their own code in the bottom and top of the body of a page (as well as customize other settings using an interface.)

We'd like to add another field where a user can enter in their own javascript/css in the header of their pages. Do you think allowing users to write in any js code they want in the header of there pages is dangerous? I know the user can do things like redirect the page and stuff - but it's really their site and currently if they want to do that they can. Are there any other dangers I should know about? Right now the user can pretty much put anything in the < body > including any JS so I don't see it opening up any more security holes than there are currently. Please enlighten me.

(Eventually we will block users from entering certain code, such as diplaying: none text ads, etc.)

I know that this is a shaky area that could possibly open us up to being hacked but we're really trying to give affiliates as much control as possible.

Source: http://community.livejournal.com/javascript/134741.html