Can you run ANY javascript in the p5 web editor ?

[pilattebe]

Nature of issue?

• Found a bug
• Existing feature enhancement
• New feature request

Details about the bug:

• Web browser and version: Safari 12.0
• Operating System: MacOS
• Steps to reproduce this:
  I am a javascript beginner, but it seems to me that the p5 web editor should ban some javascript.
  A script like this should not be legal as can redirect you to any website (why not a fake login page or whatever).
  window.open("https://youtu.be/dQw4w9WgXcQ")

Feature enhancement details:

I don't know what are the limitations of javascript but I feel like the p5 web editor is a sharing platform, and it should be safe for people to execute other people's code in it. If you allow such thing, the bad guys are going to find every possible way to exploit your website.
Again, I do not know much about your website nor Javascript nor security in general but this doesn't feel right.

[catarak]

this is a great question! i'm not sure where to come down on this.

my instinct is that there are cases in which this could be good and cases where it could be malicious. this is where #609 comes into play. i think if users could report malicious sketches, then we would have a policy for what constitutes deleting a sketch/banning a user/etc.

open to thoughts and ideas!

[pilattebe]

The fact that you can hide stuff in the index file makes it scarier.
User should definitely be able to report sketches.

[catarak]

the iframe that the sketch is running in is sandboxed, so it can't arbitrarily grab cookies or stuff like that. a user would have to enter sensitive information.

that being said, i feel like adding a terms of service/privacy policy is really important! i'm gonna work on that next week.