We are building a multitenancy web app with Laravel (+Blade), each user can create a store (tenancy), and have a control panel where they can edit the store settings and styling, to edit the store styling, we thought about letting the user opt to write his own css, html and js (for google analytics, pixel or anything else). Our concern is security, but we thought since the store owner is the one responsible for his own store (which exists on a custom subdomain) if there was an XSS on his side. But how do we protect our app if the owner does anything malicious ?
2
-
I would limit js to a few pre-configured/approved tools (think wordpress), html and css have comparably minimal risk. Treat the owner's input as untrusted as a customer's, and don't let it do anything it shouldn't.dandavis– dandavis2021-08-12 19:37:15 +00:00Commented Aug 12, 2021 at 19:37
-
@dandavis, so it would be okay if i limit js to specific tools and allow for HTML but blacklist the <script> tag ?RedZ– RedZ2021-08-13 03:56:00 +00:00Commented Aug 13, 2021 at 3:56
Add a comment
|