Is it ok to let user customise css and Javascript

开发者_如何学编程Is it ok to let user of a website customise and store theire own pages in javascript [1] and css ?

[1] they can gather informations about the content they own on the website through a javascript API

There are quite a few answers to this question all making different assumptions about the things that are not clear in the question, so let me clarify it all a little bit:

• If you are asking about users adding custom CSS and JavaScript for their own custom page that only they can see then you can do it because they can do it anyway with or without your help.

• If you are asking about users adding custom CSS and JavaScript for any page that orher users can see like their profile pages then never let them do it.

Never let anyone control the JavaScript of other visitors, period. Never let anyone control the CSS of other visitors without restrictions. Never let anyone control the HTML of other visitors without restrictions. The restrictions for CSS may be just changing some colors and nothing more. The restrictions for HTML may be just using only few tags for text formatting. But what their own browser displays to them is completely out of your control. They can inject any HTML, CSS and JavaScript they want and you have to always keep that in mind, whether you let them do it officially or not.

I would advise against the javascript. Its difficult to maintain a level of security.

Generally, you don't want to let user A download and run Javascript authored by user B -- there are tremendous opportunities for security shenanigans.

css is safe, but as others have said, allowing users to customize the javascript of a page is a huge security risk.

If other visitors can see those pages, then no. Imagine flashing colors, randomly moving DOM elements, and other bad design, on your website.

Worse than that, if you allow arbitrary JS, your other users run the risk of being redirected via window.location to another site that looks identical to yours, but steals passwords. This may be a bit extreme, but it's really easy to accomplish.

If you don't care much about the impression people get when they visit your site (like if it's a social networking site), you can let CSS slide. But I'd steer clear of JavaScript, as it poses tons of security risks to other users.

If you want to impress your users go for it. If you want to stay secure, don't touch it.