When dealing with forms and data storage/redistribution the general motto is “Never trust user data”, I can easily find ways to sanitize HTML/CSS even how to deal with files (images, videos, PDF …) before storage and I would never accept raw Javascript (eval is evil), but there isn’t much resources concerning securing or sanitizing user GLSL input.
The only way I may think of is to treat it as a simple string (server side), test it with a ShaderMaterial (client side) if the compiler doesn’t throw any error the data is cool, otherwise, ban the user and blacklist the entire region of his IP
Is there other ways to deal with this kind of data, or am I just being too paranoid and should trust the browser built in security.
What exactly are you concerned about? The GLSL program will either compile or it won’t. I don’t think there’s much room for malicious attacks via shaders, otherwise just opening any website could be a dangerous endeavor.
Your approach sounds like a good one. Accept the user input, run the shader and see if it compiles. If it does then you can upload it to the server. That’s the way https://www.shadertoy.com/ does it. If you want extra security, I guess you could compile it server-side in a headless browser so the users don’t circumvent your upload API.
