When running a site that hosts user-generated content including HTML and JavaScript, what are some best practices that can help ensure the security and integrity of the host and any visitors to the site?
Adding some examples of possible techniques here. Technical options:
- Separate domains: Use a separate domain from your main site to host user-generated content. Github does this, as does jsFiddle
- Limited tags: Restrict HTML tags that users can enter. The big one is <script>, which is obviously not possible with JS hosting. However, one could conceivably limit JS as well (though that might not be practical).
Manual/semi-manual patterns:
- Content moderation
- User flagging: Give users a way to flag malicious content for removal