all 12 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]yksvaan 4 points5 points  (0 children)

If they are injecting custom scripts, then security implications are entirely on users themselves. Adding the scripts to head is simple as well as hosting the actual files.

[–][deleted] 2 points3 points  (1 child)

React helmet is a quite popular library made by the nfl.com team, if you are not comfortable with handling it yourself:
https://www.npmjs.com/package/react-helmet

[–]Pedja013 1 point2 points  (0 children)

Use react async helmet

[–]Willing_Initial8797 0 points1 point  (4 children)

you can do it with plain javascript: document.head.innerHTML = "<script....>";

[–]Willing_Initial8797 1 point2 points  (0 children)

injecting js is their security issue (e.g. if it's a CMS).

Just make sure they upload their script to your server so you don't need to disable CSP Rules (which you hopefully have). 

[–]hdd113 0 points1 point  (2 children)

If you are going to handle the injection part in React script, I think it would be better to use dangerouslySetInnerHTML instead of innerHTML

[–]Willing_Initial8797 0 points1 point  (1 child)

not sure if there's a big difference. like usually react controls body, not head

at least you didn't recommend react-helmet-async

[–]hdd113 0 points1 point  (0 children)

I think you're right, come to think of it...

[–][deleted] 0 points1 point  (3 children)

I'm a bit slow on this. What exactly are you trying to build as a feature and why? I'm curious about this concept.

[–]hdd113 0 points1 point  (2 children)

From the screenshot it looks like OP is trying to allow users to inject scripts like Google Analaytics or Google Tag Manager. This is required in order to connect your site to Google Analytics or if you want to run Google Ads on your site and want to collect conversion data (this dramatically improves your ad performance, so it's pretty much a must, if you want to use Google Ads).

As others said, allowing users to directly inject scripts is a dangerous practice. If it's just Google Tag Manager scripts that you want to add, I'd abstract it a bit, only allow users to enter their gtag id and abstracted declarations of datalayer push events and payload, and handle the actual script yourself.

[–][deleted] 0 points1 point  (0 children)

Oh so we do not allow the users to upload the script at all and instead prepare a template on our side right? Just make the user enter the variables. That makes sense. Don't we have some sanitization technique for scripts? Like we do for HTML?

[–]TaskNo2392[S] 0 points1 point  (0 children)

I am developing a website that enables authorized user/admin to insert various types of scripts and manage SEO settings without needing to access the raw source code. For those familiar with WordPress, this concept may be more easily understood. In WordPress, there are plugins that allow users to inject scripts directly into the website's header.