I have an application where I am allowing users to upload (or refer the
app. to) arbritrary HTML that I am (currently) displaying in an IFRAME
on a page. The users will be authenticated so it’s not open to the
I was always uneasy with this, but after reading the security chapter of
AWDWR, I am even more concerned.
What kinds of applications do people have out there that provide
snippets of HTML that could be user provided?
I saw something in AWDWR about sanitize() - any comments/advice on that?
One thing I’m considering is rendering it on the server side and
providing an image of the rendered to the user - then I only have to
worry about being compromised on my server instead of worrying about XSS
attacks. Does that make sense?
Any thoughts or advice is appreciated.