Sorry, but I can't quite parse what you're asking here. Could you expand on your needs a bit more?

hm.,..
i have a page that allow user to post html codes
and let other users to press a button to "preview" the html code in a new open window

there's nothing to do and no need to care about "explode" scripts, let the browser patches or anti virus software to do it
what i worried about is, when preview, the code is able to access cookies in www.mydomain.com (suppose this is my domain)

so, is it possible to seprate that code away from my domain?

If I understand you correctly, you're worried about this: Code that your users enter might access cookies that were written from the same domain.

Cookies are on the user's computer. If someone knows enough to enter a script that displays cookies, then they know enough to go into their own hard drive and read their own cookies directly. So you can't be worried about someone reading their own cookies.

Are you saying there is a possibility that one person might write a script that extracts a different user's cookies?

thx tedster, you're so careful

i know users can access their own cookie
and yes, i'm saying that, one user can steal others cookie(same domain of cos), by submiting javascript code, and wait for other user to preview it. sooooo.... terrible security problem!

after long time thinking, i get a way to do:
when press "preview" button, submit the code to www.anotherdomain.com and output as "Content-type: text/html", so it can't access the user's cookie of www.domain.com
(all above domains is for example only)

but is this the only way? i have to prepair a standalone domain for this single problem :(

Yes, I can imagine ways that this could be done if you had the ability to post executable HTML and Javascript code on another domain.

The question is, what's in the cookies that would constitute a privacy risk? Probably nothing, but if you use cookies to "remember" user id's and passwords for people, for example, then that could be a genuine security risk.