I am the creator of http://labcss.net, and I have a security issue I need to solve. labcss is similar to jsFiddle, only jsFiddle execute their Javascript code in a sanbox. Since I need to heavily manipulate the contents of the iframe and interact with it, I can't have the "Run" button approach, which sends the data to the iframe jail.
I need to enforce Javascript restrictions so that the internal Javascript which will run in the iframe, although in the same domain, will execute out of my domain, so I won't have XSS issues. (I do need the Javascript to execute though).
Thanks for the advice.
You could use Google Caja, Microsoft WebSandbox, Facebook FBJS, AdSafe, or (on very modern browsers) SES. These all provide a secure Javascript sandbox. However, be warned: they have a fair number of moving parts.
Caja and WebSandbox let you write standard Javascript, with no restrictions, and you can use many existing Javascript libraries. FBJS and AdSafe have you write in a different more restricted language: FBJS in Facebook's variant of Javascript, AdSafe in a restricted subset of Javascript with its own library.