Allow Javascript - Protect from XSS? (unique scenario)
I am in the process of building an application (more specific CMS) that allows users to add Javascript to their content. There isn't really a possibility for Javascript, and because of this, some security concerns are now becoming quite obvious. We are mainly concerned about the theft of cookies.
To explain the system a little more, a CMS allows one user to have access to multiple sites. A user can invite another user to edit their site. Someone accessing the site will then do the JS add.
Here's the scenario we're trying to work around:
- The malicious user "Angry Bob" writes Javascript to read cookies and send them via email.
- Angry Bob invites me to edit their site
- I am browsing the site and my cookies are being sent to Evil Bob.
- Evil Bob now has access to my cookies and can edit any sites that I have access to.
We've added some protection against cookie theft, which makes it difficult to spoof cookies. If you want to use a stolen cookie, you will also have to spoof all the headers to match the names of the victim.
We had some ideas for fixes, like putting each site on a separate subdomain and requiring a separate login for each account. Perhaps this is the best solution.
Any other recommendations?
source to share
You can try sanitizing javascript with Google Caja or Crockford AdSafe .
Unfortunately, these solutions still work although Caja, for example, is currently pretty robust and under heavy development (it just doesn't implement all of the DOM).
source to share