Question for the more skilled.
Date: 06/28/07
(Javascript Community) Keywords: css, java, security
Hi, I'm working with a team creating kind a site where anyone can pretty much create their own youtube/myspace/social network. Right now, we let users enter in their own code in the bottom and top of the body of a page (as well as customize other settings using an interface.)
We'd like to add another field where a user can enter in their own javascript/css in the header of their pages. Do you think allowing users to write in any js code they want in the header of there pages is dangerous? I know the user can do things like redirect the page and stuff - but it's really their site and currently if they want to do that they can. Are there any other dangers I should know about? Right now the user can pretty much put anything in the < body > including any JS so I don't see it opening up any more security holes than there are currently. Please enlighten me.
(Eventually we will block users from entering certain code, such as diplaying: none text ads, etc.)
I know that this is a shaky area that could possibly open us up to being hacked but we're really trying to give affiliates as much control as possible.
Source: http://community.livejournal.com/javascript/134741.html