Save custom codes (html and javascript)

[Dennis Spohr]

I created a tool where users can design their individual landingpage. Lately users want to implement their own html- and/or javascript code, for example for loading an iframe or custom tracking codes.

If I give them an textarea, where they can paste their custom html or javascript code - is this secure?
I would use $sanitizer->text to prevent sql injections.

But is this a safe way? I don't (really) know which code they would save (and load).

I would like to get an idea and your thoughts.

Thanks and greetings from Malta,
Dennis

[wbmnfktr]

It's not that I don't trust people but... I'd be careful with things like that. 

First off all most people just take code they get from whoever and place it somewhere without knowing what will happen afterwards.

If there are tools and services like Facebook Pixel, HubSpot or similar they want to use, give them the option to enter only the necessary details like Pixel ID or campaign ID and let your system do the rest.

Maybe you can ask your users what they want to add to their landingpages and start from there.

In my opinion that's much safer and easier for everyone.

If it was my service I wouldn't allow them more than that. At the end I'm the one that risks everything.