I am curious, what makes www.jsfiddle.net secure from XSS based attacks? They have a support for accounts so clearly any script they run on the browser may do evil things.
If you look at the results pane for a fiddle you'll notice that it's actually an IFRAME pointing to a different domain which means that built in security will kick in which generally prevents access to the parent window.
This fiddle for example : http://jsfiddle.net/jomanlk/y9zCK/
Is actually served by : http://fiddle.jshell.net/jomanlk/y9zCK/show/
来源:https://stackoverflow.com/questions/6732501/what-makes-jsfiddle-secure-from-xss-based-attacks