Arty wrote:its not a good idea. However neither is using Flash, which because of massive amounts of security issues that can affect your operating system, is far more dangerous.
That's only an issue for people viewing the Flash files; my forum moderates uploaded Flash files and I have ClamAV scanning uploaded files for known exploits at least. The site itself is never in any danger, as the files are just data otherwise.
For making simple, portable games and animations though there's not really any alternative, and since that's what the forum is about… don't exactly have a choice
Arty wrote:Inserting CSS could also be potentially dangerous, but it can't be used for much more than harmless pranks. So allowing it is somewhat ok if you trust your users.
Can it do much outside of an iframe? I was thinking of hosting the CSS/Javascript/HTML on a different sub-domain and using an iframe to embed it, this should limit a lot of the potential for abuse, plus a sub-domain lets me set different rules for nginx (so if a user tried to upload a PHP file as part of the bundle, it wouldn't be executable).
Arty wrote:Allowing to insert JavaScript is very dangerous. It could be used to steal sessions, log login details, create posts on your behalf and other nasty stuff.
This is my main concern; stealing of login-credentials via session cookies is the main risk I think, since Javascript would still be able to grab cookies for the parent domain, i.e- if the uploads are to files.example.org, then they have access to cookies for example.org.
I'm not 100% certain if Javascript can access other sub-domains though, for example if Javascript hosted at files.example.org could access cookies for forums.example.org? Even if they do, I may have to sanitise the Javascript code to force them to use a specific domain, i.e- look for calls to document.cookie and other methods and force them to include a domain of files.example.org, plus disallow workarounds like eval.
Either that or maybe somehow remove all cookie access from Javascript and replace it with a custom function call that can only set cookies for the domain I choose? Not sure what the best option is here.
Arty wrote:So basically its not a good idea. But neither is allowing Flash.
Thanks for the advice, but the forum's purpose is the creation of these types of content, so not supporting it isn't really much of a choice