允许以php形式使用javascript，并避免像JsFiddle那样被黑客入侵 [英] Allow javascript in php form and avoid hacking like JsFiddle

问题描述

我有一个会员网站，用户可以在其中将自己的代码嵌入到自己的个人资料中.我想允许他们在自己的个人资料中加入嵌入代码，例如YouTube和Javascript嵌入代码.

I have a membership website where users can embed their own code into their profile. I would like to allow them to include embed codes on their profile such as YouTube and Javascript embed codes.

我注意到JsFiddle.net可以做到这一点.有人知道如何复制此安全性吗?

I noticed JsFiddle.net can do this. Does anybody know how to duplicate this security?

谢谢您的帮助！

推荐答案

为用户提交的HTML，CSS和JavaScript 专有地设置一个完全独立的域名(例如"exampleusercontent.com") .不允许通过您的主域名加载此内容.然后使用iframe将用户内容嵌入到您的网页中.

Set up a completely separate domain name (e.g. "exampleusercontent.com") exclusively for user-submitted HTML, CSS, and JavaScript. Do not allow this content to be loaded through your main domain name. Then embed the user content in your pages using iframes.

如果您需要比简单框架更紧密的集成，请 window.postMessage() 可能会有所帮助，允许不同框架中的脚本以受控方式相互通信.

If you need tighter integration than simple framing, window.postMessage() may help, allowing scripts in different frames to communicate with each other in a controlled manner.

或者， Google Caja 是用于沙盒化第三方的开源编译器JavaScript，尽管有时会发现其中存在漏洞.

Alternatively, Google Caja is an open-source compiler for sandboxing third-party JavaScript, although from time to time, someone has discovered a vulnerability in it.

您可能不希望依靠Caja作为您的唯一防御层.毕竟，Facebook放弃了类似的系统(称为FBML/FBJS)，转而使用iframe沙箱方法.

You may not want to rely on Caja as your sole layer of defense. After all, Facebook did give up on a similar system (called FBML/FBJS) in favor of the iframe sandboxing approach.

这篇关于允许以php形式使用javascript，并避免像JsFiddle那样被黑客入侵的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！