I'd like to keep this discussion going, so here is a little bit more, picking up on the possibilities to have Jmol supported in Wikipedia and other Wikis:
On 30 Nov 2008 22:53, Nicolas Vervelle wrote: > > On the matter of security issues, there are at least 2 things to do : > * Being able to entirely deactivate the possibility to let arbitrary > Javascript being called by Jmol. I don't know if there's a way in > Jmol to disable this. There's a need to completely disable the > 'javascript' command in Jmol scripts. The problem is demonstrated by > http://wiki.jmol.org:81/index.php/User:Ilmari_Karonen/JS_injection_dem > o Do we still need this? (see below) > * Ensuring that the extension doesn't allow for true Javascript > injection (whatever text is entered by someone in the <jmol>tags, > this only creates Jmol applet and Jmol scripts, nothing else). I > think this means ensuring that in the generated page, the text is > always correctly escaped to prevent Javascript injection. This is implemented in the last update. > The second problem nees to be treated in the extension. My knowledge > on PHP and the security issues is limited (and I don't have much time > avaiable), so some help from someone knowing how to deal with the > script injection would be very useful. The way I've implemented it, any script passed to the Extension (inside the extension's <script> tag) containing the word "javascript" (case-insensitive) will be completely ignored. I gues it can be done so that only the javascript part is removed and the remaining script is preserved, but I don't know so much PHP as to do so. And the idea is that users-editors of wiki pages should not try at all to use javascript in the wiki pages. As a side effect, the <text>, <title>, <name>... tags of the extension cannot contain the forbidden word either (they are all parsed via the same function as script is). Not a big sacrifice. And on 1 Dec 2008 9:49, Brian Salter-Duke wrote: > I am just thinking aloud here. I think there could be a solution to add > a chaneg to medciawiki itself to have some specific Jmol tags, something > like: > > <jmolimage> ... </jmolimage> We already have the <jmol> tag added by the extension. Is there any difference intended? > avoiding all calls to Jmol itself. I don't quite understand. There is no call to Jmol until the extension inserts the Jmol code. And by using <jmolAppletButton> or <jmolAppletLink> one avoids Jmol to be loaded until the visitor requests it. > The parameters for jmolimage would > give everything that was needed, method, file names, etc. Mediawiki > itself would then be doing any chaecks that were needed. It would also > be easier for wikipedia editors and I suspect the wikipedia techs would > prefer this solution. Is this worth following up? I do not know > mediawiki and could be just talking nonsense. I think it is the JmolMediaWiki Extension that must do all this anyway, not the generic MediaWiki software. And it is doing so already, by using the different sub-tags of the <jmol> tag. Do you envisage any differences, Brian? Please ellaborate on that. The configuration in the server (LocalSettings.php) may block the use of external URLs for models, or of uploaded files, may block or impose the use of signed applet. The rest of the task in inside the Extension. > Another advantage of this approach is that wikipedia could limit the > mehtods available and perhaps limit them to file upload only. Already possible (see above). > The > mediawiki code would need changing anyway to allow use of Jmol files on > Commons as well as wikipedia. This needs further work, but is related to the above config. settings. ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ _______________________________________________ Jmol-users mailing list Jmol-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jmol-users
