I'm creating a web site that lets people create their own site using a subdomain. Are there any security implications by letting people add custom javascript to their pages? If so, which ones? XSS? Cookie sniffing? Could I make it work by sanitising the html?
Right now I'm disallowing it, but it'd be great to let people decide for themselves. I've noticed Github hosted pages have user entered javascript on them.
The Same Origin Policy for DOM access isolates sub-domains, therefor the impact of XSS is isolated to a specific sub-domain. The Same Origin Policy for Cookie scope isolates sub-domains in that they cannot read or write another sub-domain's cookies. Just make sure your main site is www.site.com and no cookie is scoped to *.site.com, as this would be accessible (if it was an HTTPOnly cookie, it would not be accessible from JavaScript regardless of its scope).
Allowing user entered Javascript is pretty much the definition of Cross Site Scripting (XSS).
The story of the Samy Myspace Worm is a great illustration of what can happen when a user can upload Javascript onto your site. Myspace wanted to allow sanitized HTML, but the hacker found a way to get around it. He put some Javascript in that caused anybody who viewed his profile to "friend" him and post the javascript on their own profile.
