问题
I don't know if this is really dangerous, but, as Google does it with its HTML and Javascript served from Google Apps Script (as explained here, they use Caja Compiler to "sanitize and sandbox HTML").
I was wondering if was there anything bad that could happen if I let users edit HTML with Jinja2 templates giving them access to some server-side variables that would be rendered sometime later. What bad can happen?
Obs: I don't care if the user HTML will be ugly or if it will destroy the rest of the page.
回答1:
Allowing end users to edit HTML or JavaScript can lead to your site being vulnerable to XSS - https://www.owasp.org/index.php/Cross-site_Scripting_(XSS).
If users view the content other users have created, their scripts could be compromising cookie values or the user session by sending the values to the attacker's server.
回答2:
Bad things can happen with HTML; worse things can happen with most templating engines, including Jinja2. Like arbitrary code execution. That’s why there’s a sandbox.
来源:https://stackoverflow.com/questions/19603097/why-is-it-dangerous-to-render-user-generated-html-or-javascript