I'm building a static webapp (client-side) that allows users to write custom GLSL shader code as part of an advanced feature. To allow my users to share their work, I'm thinking about encoding their GLSL code into the URL hash via encodeURIComponent for sharing, and later decoding, compiling, and running it.
Since I'm not very well-acquainted with the nuances of XSS, I'd like to make sure this feature is safe before implementing it. As far as I can tell, what I'm doing is as safe as shadertoy or jsbin - there are no accounts or logins at stake, so malicious code wouldn't be able to do more than it would on jsbin. Am I missing something, or should this be ok?
Aucun commentaire:
Enregistrer un commentaire