Accepting user-supplied code is mostly fine
Summary
The article analyzes WebTiles' approach to letting users contribute HTML, CSS, and JavaScript within a sandboxed environment using Shadow DOM and a custom JS interpreter. It covers comprehensive sanitization, API shimming, and CSP considerations, along with real-world sandbox escapes and a worm incident, concluding that user-supplied code can be viable with strong isolation and monitoring.