7

I have an idea for a web application where a user can submit Javascript code that can then be served up to other users. I'm wondering what's the best way of going about this. Is it possible to store the Javascript in a database and then serve it up to users as they request it? I would also like to be able to attach metadata to each piece of code: name, user ratings, etc., so a database seems like the natural solution to my somewhat underinformed mind. I'm looking at using Rails on the backend with MongoDB.

Improve this question
8
  • 10
    Read this out loud: "a user can submit Javascript code that can then be served up to other users." Wow, I don't think I've seen a worse idea in ages. Commented Jun 30, 2010 at 2:24
  • 3
    @Aircule, that's initially what I thought, however I think "served up" may mean "viewed by". Basically, a database of snippets. Commented Jun 30, 2010 at 2:27
  • In that case, store it as you would store any kind of text. Just remember to convert special html chars to their html entities (ie: < to &lt;) when you display it. Commented Jun 30, 2010 at 2:32
  • 1
    I understand the risks. A significant part of the plan is to put a lot of failsafes in, numerous peer reviews, holding users accountable. The question remains: is it doable and how would one go about it? Commented Jun 30, 2010 at 3:35
  • 1
    1) Get script like any other user input. 2) Store script like any other user input in database. 3) Get script from database like any other data and echo it between <script> tags. 4) Enjoy crashing browsers and XSS exploits. :) Commented Jun 30, 2010 at 3:51

3 Answers 3

Reset to default
9

Javascript is a string of text. Databases can store strings of text. Hence, databases can store Javascript.

Unless you have some specific idea I'm missing though, I wholly agree with @Aircule's sentiment.

Wow, I don't think I've seen a worse idea in ages.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

I think the OP means for other users to view, not execute. Like codepaste.net
@Rex If that is so, it's indeed not such a bad idea. Then it's only been done before. :)
In shared development scenario like CMS, it makes sense as well, but only as long as you limit your upload system to trusted users/developers.
5

I highly recommend reading up on XSS and CSRF. (shameless plug, i blogged a high level overview here) It is hard enough to prevent these sort of things when you are actively trying to look out for them, sanitizing js would be an absolute nightmare.

Improve this answer

Comments

4

Yes, it seems like you've got a grasp of what is required. Just be careful not to execute the arbitrary code - you could be entering a world of XSS hurt.

Unless you're going to be getting millions of hits a minute, any database or framework will be fine.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.