Interesting points raised Dave. I am inclined with Nitin and Aditya. I feel demo instance is critical for new adoption since this is always the entry point for adoptors :-)
As mentioned by Aditya, In OFBiz, the inputs of text editors are sanitized. Adding to it, some places of backend screens (requires to log in), no sanitized done, considering the fact that if the user is logged in, it means s/he authentic user thus no security vulnerability). [I can understand this is not applicable for demo instance]. In Kibble, there is not much option available for custom inputs, it takes some defined inputs. Best regards, Swapnil M Mane, www.apache.org On Tue, Aug 20, 2019 at 11:23 AM Aditya Sharma <iamadityashar...@gmail.com> wrote: > That makes sense. > As far as I know OFBiz, input that involve text editors is sanitized. > Adding to Nitin's inputs. We can use libraries like Jsoup[1] at back end to > properly sanitize the user's input and at front end some advance editor > like summernote that allows escape of script execution[2]. If we can make > these changes configurable, so that it won't affect the intrinsic behavior. > > References: > 1. https://jsoup.org/ > 2. https://summernote.org/deep-dive/#xss-protection-for-codeview > > > Other references that can add to it: > https://happycoding.io/tutorials/java-server/sanitizing-user-input > https://www.netsparker.com/blog/web-security/cross-site-scripting-xss/ > https://github.com/Alex-D/Trumbowyg/issues/160 > https://www.acunetix.com/websitesecurity/cross-site-scripting/ > > Thanks and regards, > Aditya Sharma > > On Tue, 20 Aug 2019 at 01:44, Nitin Lokhande <nitin.lokha...@gmail.com> > wrote: > > > Thoughts I have on this which might need some more effort too. > > > > Allowing only alpha numeric in blog post ( For publish ) > > Not providing publish option and only preview option ( can use wider > > character set) > > Creating db manually and limited rights to user connecting to db. > > Create read only demo by limiting rights of db user. > > No visibility of new posts and appending keyword to blog handle ( Delete > > such blog every 30 min , by some scripts) > > All new posts triggers emails to moderators prior/after publish ( include > > committers from different regions as moderators for demo application ) > > add captcha for publish as well. > > > > Thanks, > > Nitin > > > > On Mon, Aug 19, 2019 at 11:47 AM Dave <snoopd...@gmail.com> wrote: > > > > > I'm not totally opposed to the idea but there are some security risks > to > > be > > > considered. > > > > > > One of Roller's biggest vulnerabilities is that users are trusted to > > > publish any type of content and this includes JavaScript which can be > > used > > > to make Cross-site scripting and request forgery attacks. You really > have > > > to trust your bloggers because the system does not sanitize user input > > > (except for blog comments). Even if we delete the data every day bad > > actors > > > could use the system to make these sorts of attacks. We could disable > > > custom themes, but folks could still publish malicious code in blog > > posts. > > > > > > How is that handled for Kibble and OFBiz, do they sanitize all user > > input? > > > > > > Dave > > > > > > > > > On Mon, Aug 19, 2019 at 9:30 AM Aditya Sharma <adityasha...@apache.org > > > > > wrote: > > > > > > > Indeed. > > > > > > > > +1 > > > > > > > > Thanks and Regards, > > > > Aditya Sharma > > > > > > > > On Sat, 17 Aug 2019 at 18:41, Swapnil M Mane < > swapnilmm...@apache.org> > > > > wrote: > > > > > > > > > Hi team, > > > > > > > > > > The new adopters and users are generally looking for a demo > instance > > of > > > > any > > > > > software to evaluate it. > > > > > This brings me a thought, we should have a demo instance for the > > > Roller. > > > > > > > > > > Other Apache projects are also set up the demo instance for their > > > > project, > > > > > like > > > > > Apache Kibble - https://demo.kibble.apache.org/ > > > > > Apache OFBiz - > > > > https://demo-trunk.ofbiz.apache.org/ecommerce/control/main > > > > > > > > > > The demo instance will be redeployed every day with fresh data and > > > latest > > > > > codebase (we may set up instances for old releases, but it is not > the > > > > > priority we can do it later). > > > > > > > > > > We can request the infra team to set up the demo instance at > > > > > https://demo.roller.apache.org/ > > > > > > > > > > Thought? > > > > > Please let me know if I missed any existing demo instance. > > > > > > > > > > Best regards, > > > > > Swapnil M Mane, > > > > > www.apache.org > > > > > > > > > > > > > > >
