I've been working on a JS library and would like to setup a demo page on Github that allows, for example, users to define their own callbacks and execute commands.
I know "eval() is evil" and I can see how blind eval() of scripts could lead to XSS and other security issues. I'm trying to cook up some alternative schemes.
I really enjoy the interactivity of jsFiddle. I've taken a look at their source but was hoping someone could lay out here how jsFiddle allows and executes user-defined JavaScript without being dangerous. So long as it doesn't involve a 3rd party echo server, I'm hoping I can emulate the approach.
jsFiddle executes user scripts on a separate domain. i.e. It loads an iframe containing a page that executes the JavaScript. The page in this iframe must be on a separate domain (in this case, http://fiddle.jshell.net) that has nothing that can be attacked (no cookies). (try it and see) Therefore, it can't interact with the parent frame and it can't steal cookies.
You can actually do this without a separate server by placing a static page in a separate domain that reads from its querystring in Javascript.
You can communicate back using the page title (and so can the enemy).