I’ve been working on a JS library and would like to setup a demo page on Github that allows, for example, users to define their own callbacks and execute commands.
I know “
eval() is evil” and I can see how blind
eval() of scripts could lead to XSS and other security issues. I’m trying to cook up some alternative schemes.
jsFiddle executes user scripts on a separate domain,
http://fiddle.jshell.net (try it and see).
Therefore, it can’t interact with the parent frame and it can’t steal cookies.
You can communicate back using the page title (and so can the enemy).