I am in the need to attach javascript code to my content for tech blog purpose, and give capability to run it by visitors.
Do you think there are security concerns? Me no.
PHP filter is there in Drupal core from the begin, and it was not a security concern, unless you give permission to everyone to post content or comment in PHP format. What does it make javascript a security concern?
Well, writing such a module (yes, I want to make something useful and versatile for this, I am tired to upload it and write < script src=…. with php filter everytime), I googled and found http://stackoverflow.com/questions/1378246/drupal-filefield-wont-upload-javascript-files
the interesting suggestion to use variable_set('allow_insecure_uploads',1); because of munge mechanism make me curious about what is mounge. That is from file.inc:1074 (drupal 7.22):
/** * Modifies a filename as needed for security purposes. * * Munging a file name prevents unknown file extensions from masking exploit * files. When web servers such as Apache decide how to process a URL request, * they use the file extension. If the extension is not recognized, Apache * skips that extension and uses the previous file extension. For example, if * the file being requested is exploit.php.pps, and Apache does not recognize * the '.pps' extension, it treats the file as PHP and executes it. To make * this file name safe for Apache and prevent it from executing as PHP, the * .php extension is "munged" into .php_, making the safe file name * exploit.php_.pps. * * Specifically, this function adds an underscore to all extensions that are * between 2 and 5 characters in length, internal to the file name, and not * included in $extensions. ...
so, be warned on this apache behaviour that can make things unstable. Note: it is Apache filter behaviour not php, so it work with anything else that has an Apache module. (The use of a dedicated data directory is the best practice).
I decided to let it be and go with drupal security, changing the src attribute to load that .txt file, that is perfectly legal.
The module would be named runyourjs, I have just done the upload file part, then I want to add a default load button (interactive), then just upload it to a drupal sandbox.
