问题
I have a membership website where users can embed their own code into their profile. I would like to allow them to include embed codes on their profile such as YouTube and Javascript embed codes.
I noticed JsFiddle.net can do this. Does anybody know how to duplicate this security?
Thank you for any help!
回答1:
Set up a completely separate domain name (e.g. "exampleusercontent.com") exclusively for user-submitted HTML, CSS, and JavaScript. Do not allow this content to be loaded through your main domain name. Then embed the user content in your pages using iframes.
If you need tighter integration than simple framing, window.postMessage() may help, allowing scripts in different frames to communicate with each other in a controlled manner.
Alternatively, Google Caja is an open-source compiler for sandboxing third-party JavaScript, although from time to time, someone has discovered a vulnerability in it.
You may not want to rely on Caja as your sole layer of defense. After all, Facebook did give up on a similar system (called FBML/FBJS) in favor of the iframe sandboxing approach.
回答2:
I assume you want security from malicious code injection, sql injection, etc.
When the form is submitted you'll need to verify the input server side. As long as you validate it there for what you expect it to be you should be okay. The only validation you do within JavaScript (if any) should be for helping the user add their information to the form and see where they've gone wrong, assistance in other words.
I've used the YouTube API in the past to validate video entries. Not sure if Vimeo has an API, I'd be surprised if it didn't though.
来源:https://stackoverflow.com/questions/14162492/allow-javascript-in-php-form-and-avoid-hacking-like-jsfiddle