When dealing with forms and data storage/redistribution the general motto is “Never trust user data”, I can easily find ways to sanitize HTML/CSS even how to deal with files (images, videos, PDF …) before storage and I would never accept raw Javascript
(eval is evil), but there isn’t much resources concerning securing or sanitizing user GLSL input.
The only way I may think of is to treat it as a simple string
(server side), test it with a ShaderMaterial
(client side) if the compiler doesn’t throw any error the data is cool, otherwise, ban the user and blacklist the entire region of his IP
Is there other ways to deal with this kind of data, or am I just being too paranoid and should trust the browser built in security.