Allowing arbitrary HTML allows hackers to use your site to impersonate login pages, using your trusted SSL certificate to make the page appear authorized in the browser header.
Allowing arbitrary content allowed hackers to exploit browsers to run arbitrary code and go wild from there with user permissions.
Allowing arbitrary HTML mixes poorly with having more than one user doing it on a page.
Allowing arbitrary content to be uploaded and served out means that if you're lucky, you'll go bankrupt serving people pirated movies, and if you're not lucky, you'll go bankrupt and to prison for serving child porn.
This is just a sample of the problems.
You have to sandbox this stuff, and the crazier the line you try to draw with the sandbox around what is safe to do, the harder it is to secure.
That's only half the answer. The real answer is that no one wants to spend the time to offer those features securely.
It's perfectly cromulent to allow users to upload CSS and html and even javascript. You just have to put a lot of effort into making it safe.
Look what we did on reddit -- we allowed users to make almost any CSS they want, and look at the beautiful creations that have come from that (like all the sports reddits). It was a lot of work figuring out how to make it safe, but we did it.
And now they're putting in a ton of effort to make it work on mobile too. Because reddit still values user creativity.
It's totally possible to allow all that creativity, it just takes time and consideration to make it safe.
> Look what we did on reddit -- we allowed users to make almost any CSS they want, and look at the beautiful creations that have come from that (like all the sports reddits).
The main reason I have a reddit account is so I can turn off custom CSS for subreddits because otherwise it's almost as garish as MySpace. When they finally eliminate the "old" reddit, I'm gone (unless they hire a competent UX person before then).
> That's only half the answer. The real answer is that no one wants to spend the time to offer those features securely.
>It's perfectly cromulent to allow users to upload CSS and html and even javascript. You just have to put a lot of effort into making it safe.
I work in an online payment company. Custom CSS is one of the features we hate the most implementing. It is very difficult to get it right and the cost of maintenance is quite high.
I actually agree with you, but on topic, I can't help but think the original author does not consider reddit "fun and weird", or the objection being made would make little sense.
Sadly yes, but they are trying really hard to make the new experience as close to custom CSS as possible while still maintaining the ability to be creative. Unfortunately it's not really a security problem as much as it is a design problem making things mobile and app friendly.
Most of these things I think are pretty easy to mitigate.
>Allowing arbitrary HTML allows hackers to use your site to impersonate login pages, using your trusted SSL certificate to make the page appear authorized in the browser header.
Make each user have their own custom virtual host (yourname.example.com).
>Allowing arbitrary content allowed hackers to exploit browsers to run arbitrary code and go wild from there with user permissions.
Arbitrary does not mean you can't sanitize it. You can specifically restrict javascript for example.
>Allowing arbitrary HTML mixes poorly with having more than one user doing it on a page.
You don't necessarily need more than one person doing it on a page. Each person can have their own page.
>Allowing arbitrary content to be uploaded and served out means that if you're lucky, you'll go bankrupt serving people pirated movies, and if you're not lucky, you'll go bankrupt and to prison for serving child porn.
You could say the same thing about Facebook. We have the safe harbor act and we have the ability to monitor these systems for misuse.
I don't know enough about MDX and JDX that Codeblog seem to allow. Where, in your opinion, does Codeblog land on the spectrum: More on the secure but boring side or on the fun and weird but dangerous side?
I never claimed the problems were hard to solve. (It's probably harder than you think, but there's off-the-shelf solutions for them now, as long as you've got a developer smart enough to reach for them, or one skilled and experienced enough to know how to build them in a pinch.)
But by the time you've solved them all, you're pretty much back to where Reddit, HN, Facebook, etc. are. I assume the author does not consider those "fun and weird".
I mean, I remember when Slashdot was having trouble with user abuse of <pre> tags. A simple <pre> tag of all things! When you scale up, you have to close all the little holes, and what's left is not "fun and weird".
You can have fun and weird. It's out there, if you look, and worst case, you can always deploy your own site and do anything you want. But you can't have fun and weird at scale.
Then you strip out interactivity. Which is a pretty huge component of making the internet interesting and weird.
For its many sins, Flash was actually a pretty great sandbox for people to play with that way (as long as it didn't have one of its many security issues at the time)
There was a period when you could use Flash to invoke a javascript: protocol link and it would be executed in the containing page! They fixed it eventually but it was a great way to escape the Flash sandbox.
The other problem that bedeviled sites that allowed arbitrary HTML back in the day was crude phishing attempts: convert your user profile into a fake login page with CSS and HTML. Blocking this entirely is probably impossible. I suppose some machine learning could be used to detect pages styled as phishing attempts.
There were also all sorts of ways to sneak JavaScript back in. I remember embedding a javascript: protocol link inside a Flash applet would do it (flash eventually blocked that though).
Pretty sure if there's no JS you could just block iframes and maybe form tags and then people would have no way to submit anything. They could click a malicious link, sure, but they can do that on today's social networks.
Then you can replace the website "chrome"- the headers, the links back to the rest of the site- with doppelgangers that take you to a phishing page that makes it look like you've been logged out. All of those you'd expect to be internal links, so when they show you a "please log in again" screen you will have no reason for suspicion. You can't do that on Facebook today.
Alternatively, you don't need a form tag. Just show a login set of text inputs and an image that looks like a submit button. That button links you to a phishing site that says "oops! try again" and then you put your password in a second time and this time it's a real form. So you'd have to get rid of text inputs entirely.
If I understand you correctly those "you are leaving example.com" interstitial pages with a redirect are a solution to this problem. Although they are not so pleasant.
Is it technically possible to completely strip out javascript but still retain full html + css compatibility? I had the impression that somebody always finds a way to outsmart any filter using UTF arcanes or some other method.
Hmm. I can't say for absolute sure, but if the root document is HTML and there are no <script> tags (or <iframe>s, I guess), I don't see how you'd get JavaScript to execute. I think those are strictly the only entry-points JS can have, and it's not like HTML or CSS could mutate the document to create one after the fact.
EDIT: I brainfarted and totally forgot about inline event handlers. Go easy on the downvotes please.
Allowing arbitrary HTML allows hackers to use your site to impersonate login pages, using your trusted SSL certificate to make the page appear authorized in the browser header.
Allowing arbitrary content allowed hackers to exploit browsers to run arbitrary code and go wild from there with user permissions.
Allowing arbitrary HTML mixes poorly with having more than one user doing it on a page.
Allowing arbitrary content to be uploaded and served out means that if you're lucky, you'll go bankrupt serving people pirated movies, and if you're not lucky, you'll go bankrupt and to prison for serving child porn.
This is just a sample of the problems.
You have to sandbox this stuff, and the crazier the line you try to draw with the sandbox around what is safe to do, the harder it is to secure.