Dynamic HTML viewer
Don't ask why, but I developed a way to dynamically view the output of HTML onto a div element. Here's the relevant code:
Basically, for the purposes of what I am doing, it would be nice if I could put this online and allow people to dynamically build a web page or part of a web page right there.
<textarea onKeydown="update()" id="targetB" style="width:100%;">
<div id="targetA" style="position:absolute; border:1px solid #777777; background-color:ffffff; padding:20px;"> </div>
Now, I am expecting someone to bonk me on the head with the pretense that there is a huge security hole in this. The only problem is, I personally can't think of one. Yes, you can type something like:
and have it load an iframe with google loaded in it. So basically I would like to request that someone please point out some obvious security hole that isn't so obvious to me right now so I don't get my hopes up of actually being able to use this.
Thanks in advance :)
The security worry is that the owner of a site that accepts input will mine the input for nefarious commercial or political reasons.
Just saying you won't usually isn't enough to overcome reasonable skepticism.
Although you make a good point, I meant security more in terms of someone actually using something like that to hack the site. Would you know anything about that?
You can't actually hack the site using that unless you're then inserting their HTML into a database or storing it on your server. If users insert bad HTML, it'll just affect their own computer, as that's where it's being executed. If you are inserting their HTML into a database, only output it to that user and make sure everything is escaped (mysql_real_escape_string() in PHP will do).