[Moin-user] formatter to javascript?
Matthew Nuzum
newz at bearfruit.org
Tue Jan 11 16:45:07 EST 2011
On Tue, Jan 11, 2011 at 3:33 PM, Joshua Tacoma <joshua.tacoma at gmail.com>wrote:
> On 11 January 2011 15:41, Radomir Dopieralski <moinmoin at sheep.art.pl>
> wrote:
> > On Tue, Jan 11, 2011 at 9:36 PM, Joshua Tacoma <joshua.tacoma at gmail.com>
> wrote:
> > > - Are the security issues so obviously and deeply hairy that no one in
> their
> > > right mind would do such a thing?
> > Yes, there are security issues. Basically, the javascript on the page
> > has access to the cookie (and thus the session) of the user who is
> > browsing the page, and can act in that user's name on the wiki, doing
> > anything the user can do.
>
> Thanks, I was wondering about that... some ways to fix this:
>
> - Enable the formatter only on certain pages (is this possible?), keep
> restrictive ACLs on those pages, and make sure visitors and
> contributors are informed about the risks of using the site.
> - Enable the formatter only for localhost clients, and setup a
> read-only proxy on the same machine that is accessed through a
> distinct domain name, so that normal protections against cross-site
> scripting block access to the wiki.
> - Only generate JSON (from tables or yaml snippets) and maybe invent a
> simple DSL or two that could be translated to reliably safe
> javascript, for operations over the JSON data.
>
>
Creating a formatter that just spits out JSON from data in the page should
be quite safe. Then you (the site owner) have some javascript code in the
theme that grabs this json and does interesting things with it.
Allowing a user to insert Javascript (or a DSL later converted to JS) in the
page that is then run in a browser by whomever later comes to view that page
is not a good plan.
--
Matthew Nuzum
newz2000 on freenode, skype, linkedin, identi.ca and twitter
"An investment in knowledge pays the best interest." -Benjamin Franklin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/moin-user/attachments/20110111/6812c46f/attachment.html>
More information about the Moin-user
mailing list