On Thursday 26 March 2009 15:26:19 Daniel Cheng wrote: > On Thu, Mar 26, 2009 at 9:47 PM, M <mpbush at gmail.com> wrote: > > I understand that javascript has to be disabled because of the > > multitude of security holes it could open up. I was wondering if anyone > > had ever thought about a freenetscript similar to how facebook > > implemented FBML and FBJS to allow developers lots of scope for > > functionality whilst stopping phishing attacks. > > I did propose something similar in the past. > But some developers think it is far better to have a JavaScript parser/filter. > -- a "good" one, not a "complete" one. . > [it can not be comepleted, for it is a proven equivalent to the halting problem]
Not true. Only a filter which cannot modify code is equivalent to the halting problem. A filter which can modify code and insert guard functions is quite feasible: it does not need to know what the long-term behaviour of the code is, it just needs to know that the function for e.g. HTML insertion will always be fed through our HTML filtering. Having said that, there are various subtle attacks which it may not be possible to exclude completely without some fairly extreme measures (e.g. not allowing scripts to insert). Also I don't recall a proposal for a flexible scripting subset, iirc we were talking about recipes... > > > The FreenetScript could be parsed by FProxy and turned into regular > > javascript with freenet-only links. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20090326/058411c6/attachment.pgp>
