We host whatever HTML people upload, JavaScript and all, and most of it is generated by an AI and never read line by line first. So the honest answer to 'what stops that code from injecting something or hijacking a session' is not that we scrub it clean. It is that we assume every page is hostile and make that assumption not matter. Here is exactly how.
Someone evaluating ShareMyPage asked the sharpest question we get. You host whatever HTML people upload, JavaScript included, so what stops that code from injecting something, or hijacking a session with a bit of script? It is exactly the right thing to ask. Hosting arbitrary HTML is the entire product, and a lot of that HTML is generated by an AI and pasted in without anyone reading it line by line first. So the honest answer is not "we scrub it clean." It is that we assume every page is hostile and make that assumption not matter.
Why we do not sanitize the HTML
The obvious instinct is to strip anything dangerous out of the upload. We deliberately do not, for two reasons.
The first is that it would break the product. The pages people share here are real pages: dashboards that fetch and chart data, prototypes you can click through, small interactive tools. The JavaScript is the point. Strip it and you are left with a screenshot.
The second is that sanitizing untrusted HTML is a permanent arms race, and the defender loses the day they miss one case. The moment your safety depends on catching every dangerous construct, a single gap is a breach. So we took the opposite approach: run the page exactly as written, but somewhere it can do no harm to you, to us, or to anyone else who opens it.
The whole trick. Instead of trying to make the HTML safe, we make where it runs safe. Nothing about the file has to be trusted.
Every page runs in a sandbox with no origin
A shared page is never rendered directly on the site. It is loaded inside a sandboxed iframe, and the sandbox grants exactly enough for it to be a real page and nothing that would let it reach anyone.
< iframe src = "{a short-lived signed URL on the content origin}" sandbox = "allow-scripts allow-popups allow-forms allow-downloads allow-popups-to-escape-sandbox allow-top-navigation-by-user-activation" referrerpolicy = "no-referrer" ></ iframe >
... continue reading