Hi everyone,
I have been quite busy for several months on other matters than Jmol, so I
haven't worked at all on the extension.
I am happy to see people interested in making it work, and bringing it to
Wikipedia.
On the matter of security issues, there are at least 2 things to do :
- Being able to entirely deactivate the possibility to let arbitrary
Javascript being called by Jmol. I don't know if there's a way in Jmol to
disable this. There's a need to completely disable the 'javascript' command
in Jmol scripts. The problem is demonstrated by
http://wiki.jmol.org:81/index.php/User:Ilmari_Karonen/JS_injection_demo
- Ensuring that the extension doesn't allow for true Javascript injection
(whatever text is entered by someone in the <jmol> tags, this only creates
Jmol applet and Jmol scripts, nothing else). I think this means ensuring
that in the generated page, the text is always correctly escaped to prevent
Javascript injection.
Both things clearly need to be done in order to hope to see Jmol on
Wikipedia : having every editor being able to add arbitrary Javascript that
will be run by everyone viewing a page is a security issue.
The first problem needs first to be answered in the Jmol applet itself. Is
there a way to add an option in the applet construction to remove the
'javascript' command in Jmol scripts ? Bob ?
The second problem nees to be treated in the extension. My knowledge on PHP
and the security issues is limited (and I don't have much time avaiable), so
some help from someone knowing how to deal with the script injection would
be very useful.
Nico
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Jmol-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/jmol-users
