KendoClaw KendoClaw - 16 days ago 5
CSS Question

Allowing users to Upload javascript/html/css

I am creating a website which allows users to make their website alive for a certain amount of time. It works like this:


  • user uploads a .zip file containing javascript/html/css/image.

  • filtering the files using whitelist to remove unallowed extensions>

  • a new subdomain will be made with a random name containing the unzipped files.

  • and the user now can view his design.



so what security issues may result due uploading javascript/html/css files?

Answer

All of the files are potential security hole. JavaScript, HTML and CSS files could be dangerous because all of them may have JavaScript code in them. By allowing people to upload files that contain JavaScript code you're letting them upload code that will be executed by visitors' browsers.

On modern browsers, embedding JavaScript code in CSS files isn't a real problem. But if you expect to support older browsers, such as IE6 or 7, then the CSS files are a potential security hole as well.

A common technique used by attackers is Cross-site scripting, or XSS. Basically, attackers inject JavaScript code on a website, by using a form or some low-security API that allows visitors to send information to the website. That JavaScript code may then be executed by all other users, and could steal sensitive information. Here's some more information on it: https://en.wikipedia.org/wiki/Cross-site_scripting

Now, because all websites reside in different subdomains, they actually have different origins, and thus the browser will prevent one website's JavaScript from fiddling with another website's cookies. This is called the Same origin policy, and its described in more detail here: https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy

Do bear in mind that one of these malicious JavaScript files could change its origin by running the following code:

document.domain = "yourdomain.com";

And that could be a potential threat. Also, the Same origin policy has different behaviour on some browsers, such as Internet Explorer. It's ideal that you read the documentation on it for the most common web browsers.