I've been working on a JS library and would like to setup a demo page on Github that allows, for example, users to define their own callbacks and execute commands.
I know "eval() is evil" and I can see how blind eval() of scripts could lead to XSS and other security issues. I'm trying to cook up some alternative schemes.
I really enjoy the interactivity of jsFiddle. I've taken a look at their source but was hoping someone could lay out here how jsFiddle allows and executes user-defined JavaScript without being dangerous. So long as it doesn't involve a 3rd party echo server, I'm hoping I can emulate the approach.
I've been working on a JS library and would like to setup a demo page on Github that allows, for example, users to define their own callbacks and execute commands.
I know "eval() is evil" and I can see how blind eval() of scripts could lead to XSS and other security issues. I'm trying to cook up some alternative schemes.
I really enjoy the interactivity of jsFiddle. I've taken a look at their source but was hoping someone could lay out here how jsFiddle allows and executes user-defined JavaScript without being dangerous. So long as it doesn't involve a 3rd party echo server, I'm hoping I can emulate the approach.
Share Improve this question asked Nov 4, 2011 at 1:36 buleybuley 29.2k18 gold badges88 silver badges107 bronze badges1 Answer
Reset to default 28jsFiddle executes user scripts on a separate domain, http://fiddle.jshell.net (try it and see).
Therefore, it can't interact with the parent frame and it can't steal cookies.
You can actually do this without a separate server by placing a static page in a separate domain that reads from its querystring in Javascript.
You can communicate back using the page title (and so can the enemy).