On Sun, Nov 30, 2008 at 10:53:29PM +0100, Nicolas Vervelle wrote:
> Hi everyone,
>
> I have been quite busy for several months on other matters than Jmol, so I
> haven't worked at all on the extension.
> I am happy to see people interested in making it work, and bringing it to
> Wikipedia.
>
> On the matter of security issues, there are at least 2 things to do :
>
> - Being able to entirely deactivate the possibility to let arbitrary
> Javascript being called by Jmol. I don't know if there's a way in Jmol to
> disable this. There's a need to completely disable the 'javascript' command
> in Jmol scripts. The problem is demonstrated by
> http://wiki.jmol.org:81/index.php/User:Ilmari_Karonen/JS_injection_demo
> - Ensuring that the extension doesn't allow for true Javascript injection
> (whatever text is entered by someone in the <jmol> tags, this only creates
> Jmol applet and Jmol scripts, nothing else). I think this means ensuring
> that in the generated page, the text is always correctly escaped to prevent
> Javascript injection.
>
> Both things clearly need to be done in order to hope to see Jmol on
> Wikipedia : having every editor being able to add arbitrary Javascript that
> will be run by everyone viewing a page is a security issue.
>
> The first problem needs first to be answered in the Jmol applet itself. Is
> there a way to add an option in the applet construction to remove the
> 'javascript' command in Jmol scripts ? Bob ?
>
> The second problem nees to be treated in the extension. My knowledge on PHP
> and the security issues is limited (and I don't have much time avaiable), so
> some help from someone knowing how to deal with the script injection would
> be very useful.
>
> Nico
I am just thinking aloud here. I think there could be a solution to add
a chaneg to medciawiki itself to have some specific Jmol tags, something
like:
<jmolimage> ... </jmolimage>
avoiding all calls to Jmol itself. The parameters for jmolimage would
give everything that was needed, method, file names, etc. Mediawiki
itself would then be doing any chaecks that were needed. It would also
be easier for wikipedia editors and I suspect the wikipedia techs would
prefer this solution. Is this worth following up? I do not know
mediawiki and could be just talking nonsense.
Another advantage of this approach is that wikipedia could limit the
mehtods available and perhaps limit them to file upload only. The
mediawiki code would need changing anyway to allow use of Jmol files on
Commons as well as wikipedia. Some mediawiki changes are going to be
needed anyway.
Brian.
--
Real Programmers can write FORTRAN in any language.
-- unknown
Brian Salter-Duke (Brian Duke) Email: b_duke(AT)bigpond(DOT)net(DOT)au
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Jmol-users mailing list
Jmol-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jmol-users
