I would like to use a browser based code editor such as Monaco or Ace in my application to allow users to write some code in the browser that will be executed by other users. You can imagine jsfiddle or similar. However, I don't want to open up Cross-Site-Scripting vulnerabilities. I'm not finding much about how to properly implement these tools in an application and prevent XSS.
Is there a way to "sandbox" the javascript written in these tools when it runs? How do tools such as JSFiddle, CodePen, and online editors etc. protect against malicious scripts? In general, what techniques should I use to prevent XSS vulnerabilities when using a browser-based code editor in my app?
Typically these tools run the script on another domain. So they are (intentionally) vulnerable to Cross-Site Scripting, but they sandbox it by leveraging the same origin policy. That's the simplest and easiest way to do it. Even if the editor site has logins etc. scripting running on this sandbox domain is blocked by the same origin policy from accessing any content on the main domain, and as such the XSS is rather useless.