On Wed, Nov 5, 2008 at 3:19 AM, Sergiu Dumitriu <[EMAIL PROTECTED]> wrote:
> Pascal Voitot wrote: > > see below > > > > On Mon, Nov 3, 2008 at 8:44 AM, Jerome Velociter <[EMAIL PROTECTED]> > wrote: > > > >> Sergiu pointed to me this had already been discussed in this thread : > >> http://markmail.org/message/nirue2ug5ahbsy5b > >> > >> I agree the security concerns are not very simple to deal with if we > >> want to do this. > >> > > > > I'm currently thinking about this... > > XSS is really ennoying :)... > > but we fear about the JSX extension but is there any security against JS > > injection in any Wiki page ? > > > > At least, JSX could be used as a kind of firewall... > > imagine we create some JSX configuration parameters such as "Allowed JSX > > external URLs"... (this is just an idea :) )... > > Then when you call $jsx.use(externalurl), it is rendered by the JSX > > extension which would verify the URL is allowed and if not would generate > an > > error... > > > > Yes, we should forbid <script> tags inside the content, and only allow > jsx calls. > Last night, I was looking at the US elections asking myself how to make scripting more secure... It' s true: people are dangerous, they hate me and want to destroy my XWiki all the time. Conclusion: I must protect myself from everyone... While looking at the US elections, the US republicans inspired me The solution: an XWIKI BIG NUCLEAR SOFTWARE MASSDESTRUCTION WEAPON to nuke all users in one click if they bother me!!!!!!!! Yes, I will never give up against any terrorist!!!!!!!! I had even found a name for this new extension: XWiKill'emAll And finally, I fell asleep and I had a dreaaaaaaaaaaaaam that onnnnnnnnnnnnnnnne dayyyyy... And this morning, I wake up and I wonder if I'm still dreaming ;) Anyway, on this morning, I feel a bit less extremist about security: people might not be so evil and they don't hate me either... Maybe I don't need this XWiKill'emAll... just need to find big security holes that would attract the real evil guys and solve them... will be enough! That's why, I think I will just wander a bit around the scripting security issue to see if I don't find any other holes ;)... historical regards Pascal > > > > > >> Jerome. > >> > >> Jerome Velociter wrote: > >>> I'm now thinking about another possibility : letting the actual > >>> extensions (documents with JavaScriptExtensions objects) letting > declare > >>> their libraries dependencies. We could create a new class for this, > >>> which would have the path (absolute in case the file is distant, or > name > >>> of the file if it's on the FS) as a property. This way an extension can > >>> declare as many deps as it needs. > >>> > >>> This is not necessary incompatible with the proposition below, we could > >>> have both. > >>> > >>> Jerome. > >>> > >>> Jerome Velociter wrote: > >>>> Hello, > >>>> > >>>> Following the open question #1 here > >>>> http://dev.xwiki.org/xwiki/bin/view/Design/SkinExtensions#HUsage > >>>> > >>>> " > >>>> Open question 1: Should $jsx.useFile("filename.js") work for files > >>>> located on the disk? This allows the same pull process to be used with > >>>> files located in the skin, without requiring SX documents and objects. > >>>> I'd say yes. Then, what should the URL look like? > >>>> /xwiki/bin/jsx/skins/albatross/somestyle.css is OK? > >>>> " > >>>> > >>>> I would like to propose to go even further, and to allow injection of > >>>> script tags referring libraries on the cloud or on a different server > >>>> using the jsx plugin. This would allow to not have users writing > scripts > >>>> tags in the body of the document to add a library. > >>>> > >>>> I would see something like : > >>>> > >>>> $jsx.use("http://maps.google.com/maps?file=api&v=2&key=XXX";) > >>>> > >>>> or > >>>> > >>>> $jsx.useFile("http://maps.google.com/maps?file=api&v=2&key=XXX";) > >>>> > >>>> What do you think ? > >>>> > >>>> Regards, > >>>> Jerome. > > > -- > Sergiu Dumitriu > http://purl.org/net/sergiu/ > _______________________________________________ > devs mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/devs > _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
