Question posted in 
I have a website builder which allows users to drag and drop HTML blocks (img, div, etc…) into the page. They can save it. Once they save it, they can view the page.
I also allow custom code like JavaScript. Would it be safe to have their page be displayed on another server on a subdomain (mypage.example.com) but still fetched from the same database as the main server, or does it not matter to put it on the same server as the main server?
As far as I know, they cannot execute any PHP code since I will be using echo to display the page content.
Thanks for help!
2
Answers
That depends on your setup. If you allow them to run custom JavaScript, they can probably steal session tokens from other users, which could be used to steal other accounts. I would recommend reading about XSS (Cross-Site-Scripting).
In short: XSS is the vulnerability to inject code into a site, which will run on other peoples computers.
It wouldn’t make sense to give you a strict tutorial on how to do this at this point, because every system is different and needs different configuration to be attack-resistant.
Letting users put code somewhere is always a risk!
there is no need for another server, but you do need another domain to prevent Cross Site Scripting attaks on your main page. and no, a subdomain may not be sufficient, put it on another domain altogether to be on the safe side. (luckily domains can be acquired for free if you’re ok with a
.tkdomain)even a subdomain could be dangerous, just put it on another domain altogether, and you’ll be safe.
you can have it on the same server. btw, did you know that with shared webhosting services (like GoDaddy, hostgator, etc) there’s thousands of websites sharing a single physical server?
correct. if you were doing
include("file");oreval($code);then they could execute server-sided code, but as long as you’re just doingecho $code;, they won’t be able to execute server-side code, that’s not a security issue.