How to allow users to write javascript with security?

Question

Blogs providers such as Tumblr and Blogger allow users to write scripts in their own blogs.

It makes users add AdSense, Analytics and counters into their blogs easily.

How to keep security and customization both?

What kind of scripts should I filter?

Thx :)

Answer 1

If every blog is going to be on its own domain (not a shared second level domain like blogname.myblog.com!), chances are there is no need to filter anything at all.

The Same Origin Policy will prevent sites from having access to anything important (like session cookies that could be hijacked to break into other blogs, or administrative URLs).

There is always the danger of a malicious user adding an iframe pointing to a malware-infected site, or doing something else evil. But there is no chance for you to stop that reliably. Every hosting company allowing their clients to upload HTML has the exact same problem. I guess nothing can be done against that except oversight, having each blogger sign some Terms & Conditions, and kicking out anybody who violates them.

If you are planning to run the blogs on a shared domain, it becomes potentially more difficult, because blogs could access stuff like each other's, and possibly the admin area's, cookies. There'd be a number of things that you would have to be aware of.