Security Measures on Websites Allowing Online Scripting
As asked in the title, I have been wondering this for a while. These sites allow the user to write scripts and store them too. Are they not vulnerable to attacks such as cross-site scripting or any other similar attack? If so how do they protect themselves and their clients.
For Example, somebody writes a malicious code and shares the code with others posing as someone who needs help. Now, Members of stack will of-course run the code to check what the problem is. Isn’t that directly playing into the hands of the attacker?
Answer
What you need to worry about here is XSS. Scripting in general is not (supposed to be) dangerous, since the browser limits what an attacker can do anyway. At least you can not do anything on JSFiddle that you can’t do on any other webpage.
But what about the XSS? If you look at the source of JSFiddle you will find this:
<iframe sandbox="allow-forms allow-scripts allow-same-origin allow-modals allow-popups" allowfullscreen="" name="result" frameborder="0">
So the area where the code is executed is contained in an iframe. The URL of that page is https://fiddle.jshell.net/_display/
. Since it is in a different domain from JSFiddle itself, it can not access any of the JSFiddle cookies. So that domain is pointless to XSS, because it contains nothing of value. It is just a page that returns any scripts you POST to it.