[FEATURE]: User Snippets

[G-Ambatte]

From the subreddit today (https://www.reddit.com/r/homebrewery/comments/pyg427/your_own_code_snippets): a suggestion for Users to be able to add their own custom Snippets to the SnippetBar.

I suspect that this would be an ideal use case for the UserInfo framework.

[dbolack-ab]

I have seen a lot of concern about exploits via remote CSS, etc. Should not the same concerns apply here? Even without snippet sharing it seems precarious.

[5e-Cleric]

As user snippets' CSS are scoped to the document iframe, there is no possibility of a CSS exfiltration or other kind of exploit. There is no data to steal apart from the url for our stylesheets, which is open anyway.

So that css would not touch the Homebrewery, just the rendered iframe.

[ericscheid]

If a script is executed within the brew's preview iframe, then that script has access to both cookies and localStorage. The user's authentication is stored in a cookie. (Tested by hand-writing a <button> inside the preview iframe via the Inspector).

That said, I don't know in which context the script runs — is it the css file, is it the iframe, is it the exploit .htc pr .xbl file?

I don't know, and I really don't want us to find out the hard way.

https://stackoverflow.com/questions/476276/using-javascript-in-css

[5e-Cleric]

But we sanitize the CSS and markdown anyway, this css or markdown for the user snippets is not a bigger vulnerability than the style tab itself!

[dbolack-ab]

I'm going to suggest we not touch this issue but users can do so with TamperMonkey. We can even go so far as to build a usable framework stub.

[dbolack-ab]

This should be covered adequately by #3870 once complete unless dynamic snippets are absolutely required.