如何让用户编写带安全性的JavaScript？ [英] How to allow users to write javascript with security?

问题描述

Tumblr和Blogger等博客提供商允许用户在自己的博客中编写脚本。

它使用户可以轻松地将AdSense，Google Analytics和计数器添加到他们的博客中。 / p>

如何保持安全性和自定义？

我应该过滤哪种脚本？

Thx：）

解决方案

如果每个博客都是自己的域（不是像 blogname.myblog.com 这样的共享二级域名），很可能根本不需要过滤任何东西。

同源策略将阻止网站访问任何重要内容（例如可能被劫持以侵入其他博客或管理URL的会话cookie）。

恶意用户总是存在添加iframe指向受恶意软件感染的网站或做其他恶事的危险。但是你没有机会可靠地阻止它。允许客户上传HTML的每家托管公司都有完全相同的问题。我想除了疏忽之外什么都不能做，除非让每个博主签署一些条款和条款。条件，并踢出任何违反它们的人。

如果您计划在共享域上运行博客，它可能会变得更加困难，因为博客可以访问类似的东西彼此的，可能还有管理区域的cookie。你必须要注意许多事情。

Blogs providers such as Tumblr and Blogger allow users to write scripts in their own blogs.

It makes users add AdSense, Analytics and counters into their blogs easily.

How to keep security and customization both?

What kind of scripts should I filter?

Thx :)

解决方案

If every blog is going to be on its own domain (not a shared second level domain like blogname.myblog.com!), chances are there is no need to filter anything at all.

The Same Origin Policy will prevent sites from having access to anything important (like session cookies that could be hijacked to break into other blogs, or administrative URLs).

There is always the danger of a malicious user adding an iframe pointing to a malware-infected site, or doing something else evil. But there is no chance for you to stop that reliably. Every hosting company allowing their clients to upload HTML has the exact same problem. I guess nothing can be done against that except oversight, having each blogger sign some Terms & Conditions, and kicking out anybody who violates them.

If you are planning to run the blogs on a shared domain, it becomes potentially more difficult, because blogs could access stuff like each other's, and possibly the admin area's, cookies. There'd be a number of things that you would have to be aware of.

这篇关于如何让用户编写带安全性的JavaScript？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！