Pascal Voitot wrote: > see below > > On Mon, Nov 3, 2008 at 8:44 AM, Jerome Velociter <[EMAIL PROTECTED]> wrote: > >> Sergiu pointed to me this had already been discussed in this thread : >> http://markmail.org/message/nirue2ug5ahbsy5b >> >> I agree the security concerns are not very simple to deal with if we >> want to do this. >> > > I'm currently thinking about this... > XSS is really ennoying :)... > but we fear about the JSX extension but is there any security against JS > injection in any Wiki page ? > > At least, JSX could be used as a kind of firewall... > imagine we create some JSX configuration parameters such as "Allowed JSX > external URLs"... (this is just an idea :) )... > Then when you call $jsx.use(externalurl), it is rendered by the JSX > extension which would verify the URL is allowed and if not would generate an > error... >
Yes, we should forbid <script> tags inside the content, and only allow jsx calls. > > >> Jerome. >> >> Jerome Velociter wrote: >>> I'm now thinking about another possibility : letting the actual >>> extensions (documents with JavaScriptExtensions objects) letting declare >>> their libraries dependencies. We could create a new class for this, >>> which would have the path (absolute in case the file is distant, or name >>> of the file if it's on the FS) as a property. This way an extension can >>> declare as many deps as it needs. >>> >>> This is not necessary incompatible with the proposition below, we could >>> have both. >>> >>> Jerome. >>> >>> Jerome Velociter wrote: >>>> Hello, >>>> >>>> Following the open question #1 here >>>> http://dev.xwiki.org/xwiki/bin/view/Design/SkinExtensions#HUsage >>>> >>>> " >>>> Open question 1: Should $jsx.useFile("filename.js") work for files >>>> located on the disk? This allows the same pull process to be used with >>>> files located in the skin, without requiring SX documents and objects. >>>> I'd say yes. Then, what should the URL look like? >>>> /xwiki/bin/jsx/skins/albatross/somestyle.css is OK? >>>> " >>>> >>>> I would like to propose to go even further, and to allow injection of >>>> script tags referring libraries on the cloud or on a different server >>>> using the jsx plugin. This would allow to not have users writing scripts >>>> tags in the body of the document to add a library. >>>> >>>> I would see something like : >>>> >>>> $jsx.use("http://maps.google.com/maps?file=api&v=2&key=XXX";) >>>> >>>> or >>>> >>>> $jsx.useFile("http://maps.google.com/maps?file=api&v=2&key=XXX";) >>>> >>>> What do you think ? >>>> >>>> Regards, >>>> Jerome. -- Sergiu Dumitriu http://purl.org/net/sergiu/ _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
