* Daniel Cheng <j16sdiz+freenet at gmail.com> [2008-06-02 22:19:45]: > 2008/6/2 Florent Daigni?re <nextgens at freenetproject.org>: > > * Daniel Cheng <j16sdiz+freenet at gmail.com> [2008-06-01 23:11:04]: > > > >> On Sun, Jun 1, 2008 at 5:03 AM, Ahmed MANSOUR <911freak at gmail.com> > >> wrote: > >> > Hi, > >> > I discovered recently a wiki system called "wiki on the stick" and > >> > TiddlyWiki.com, they are both single file wiki system made > >> > in JavaScript so they run inside the browser without the need of a > >> > webserver or other scripting languages. > >> > >> er.. FProxy strip out javascripts ... > >> > >> This is essential for user privacy (until someone come up with a > >> custom browser that won't access the internet) > >> > > > > It strips it out because we don't have a javascript filter yet... Maybe > > it's a good reason to code one :) > > > > Is that doable? > An attacker can change the .src attribute of a <img> tag pointing to > an external site. > There are several DOM and non-DOM method for changing that. A > whitelist approach will make many Object in javascript non-usable.
We could interpret the JS in a sandbox(VM) and determine if we want to filter it or not. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: <https://emu.freenetproject.org/pipermail/tech/attachments/20080602/d2f25c14/attachment.pgp>
