Re: [Jmol-users] Jmol mediawiki extension
Hi everyone, I have been quite busy for several months on other matters than Jmol, so I haven't worked at all on the extension. I am happy to see people interested in making it work, and bringing it to Wikipedia. On the matter of security issues, there are at least 2 things to do : - Being able to entirely deactivate the possibility to let arbitrary Javascript being called by Jmol. I don't know if there's a way in Jmol to disable this. There's a need to completely disable the 'javascript' command in Jmol scripts. The problem is demonstrated by http://wiki.jmol.org:81/index.php/User:Ilmari_Karonen/JS_injection_demo - Ensuring that the extension doesn't allow for true Javascript injection (whatever text is entered by someone in the jmol tags, this only creates Jmol applet and Jmol scripts, nothing else). I think this means ensuring that in the generated page, the text is always correctly escaped to prevent Javascript injection. Both things clearly need to be done in order to hope to see Jmol on Wikipedia : having every editor being able to add arbitrary Javascript that will be run by everyone viewing a page is a security issue. The first problem needs first to be answered in the Jmol applet itself. Is there a way to add an option in the applet construction to remove the 'javascript' command in Jmol scripts ? Bob ? The second problem nees to be treated in the extension. My knowledge on PHP and the security issues is limited (and I don't have much time avaiable), so some help from someone knowing how to deal with the script injection would be very useful. Nico - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/___ Jmol-users mailing list Jmol-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jmol-users
Re: [Jmol-users] Jmol mediawiki extension
On Sun, Nov 30, 2008 at 10:53:29PM +0100, Nicolas Vervelle wrote: Hi everyone, I have been quite busy for several months on other matters than Jmol, so I haven't worked at all on the extension. I am happy to see people interested in making it work, and bringing it to Wikipedia. On the matter of security issues, there are at least 2 things to do : - Being able to entirely deactivate the possibility to let arbitrary Javascript being called by Jmol. I don't know if there's a way in Jmol to disable this. There's a need to completely disable the 'javascript' command in Jmol scripts. The problem is demonstrated by http://wiki.jmol.org:81/index.php/User:Ilmari_Karonen/JS_injection_demo - Ensuring that the extension doesn't allow for true Javascript injection (whatever text is entered by someone in the jmol tags, this only creates Jmol applet and Jmol scripts, nothing else). I think this means ensuring that in the generated page, the text is always correctly escaped to prevent Javascript injection. Both things clearly need to be done in order to hope to see Jmol on Wikipedia : having every editor being able to add arbitrary Javascript that will be run by everyone viewing a page is a security issue. The first problem needs first to be answered in the Jmol applet itself. Is there a way to add an option in the applet construction to remove the 'javascript' command in Jmol scripts ? Bob ? The second problem nees to be treated in the extension. My knowledge on PHP and the security issues is limited (and I don't have much time avaiable), so some help from someone knowing how to deal with the script injection would be very useful. Nico I am just thinking aloud here. I think there could be a solution to add a chaneg to medciawiki itself to have some specific Jmol tags, something like: jmolimage ... /jmolimage avoiding all calls to Jmol itself. The parameters for jmolimage would give everything that was needed, method, file names, etc. Mediawiki itself would then be doing any chaecks that were needed. It would also be easier for wikipedia editors and I suspect the wikipedia techs would prefer this solution. Is this worth following up? I do not know mediawiki and could be just talking nonsense. Another advantage of this approach is that wikipedia could limit the mehtods available and perhaps limit them to file upload only. The mediawiki code would need changing anyway to allow use of Jmol files on Commons as well as wikipedia. Some mediawiki changes are going to be needed anyway. Brian. -- Real Programmers can write FORTRAN in any language. -- unknown Brian Salter-Duke (Brian Duke) Email: b_duke(AT)bigpond(DOT)net(DOT)au - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Jmol-users mailing list Jmol-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jmol-users
Re: [Jmol-users] Jmol mediawiki extension
Hi folks, Gerard Meijssen [EMAIL PROTECTED] has asked me to pass this on to the Jmol list. I responded to this discussion on the Commons-l list:- [Commons-l] Support for Chemical Markup Language - followup -- Hoi, If you want to get the JMOL software internationalised and localised, you may want to consider talking to the Betawiki people. We do the localisation of MediaWiki and we do the localisation of many of its extensions. We would be interested in working on JMOL as it is a lively and relevant software / community. I am also involved in a testing envirionment for MediaWiki extensions, if you are interested in using this environment, let me know.. I take it that you will convey my message to the JMOL mailing list ? Thanks, Gerard -- This does seem to be a useful idea. I'll have a look at betawiki but I'm very busy this week and early next week. Cheers, Brian. -- Brian Salter-Duke (Brian Duke) 626 Melbourne Rd, Spotswood, VIC, 3015, Australia. Email: [EMAIL PROTECTED]Phone: 03-93992847 Web: http://www.salter-duke.bigpondhosting.com/brian/index.htm - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Jmol-users mailing list Jmol-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jmol-users