My ASP.NET MVC application includes a number of View files that are editable by the end-user (they're stored in a database and loaded via a VirtualPathProvider).

I'd like to allow my users to edit their view files, however I'm wary of the security implications.

Is there any way I can enforce some kind of code-access-security that ensures that any code in the view cannot perform any dangerous tasks (i.e. minimum trust, it can only access the database via a passed-in repository object and render itself. No filesystem access, no debugging its host process, etc).

I can restrict the superclass that the view derives from (by having my VirtualPathProvider provide the header <%@ Page directive, while only the render function body is returned from the database), so can I enforce CAS by applying attributes to this superclass, or is it something more involved and this is no easy task?

MVC runs in a homogeneous AppDomain, which means that all code in the framework runs with the same permission set. As such, there is no way to lower the CAS permissions of a given view. (You wouldn't really want to do this anyway, as it would prevent the MVC framework from working properly.)

The only feasible solution - though unfortunately this is a great deal of work - is to define your own view format that simply can't be used to do anything dangerous, then have a custom view engine that knows how to serve views of that type. This gives you the ability to define "dangerous" however you want, from blocking server-side code execution to even attempting to block Javascript execution (which is quite a difficult task in its own rite).