Re: [xwiki-devs] [Proposal] Support use of local and external JS libs with JSX

see below On Mon, Nov 3, 2008 at 8:44 AM, Jerome Velociter <jerome(a)xwiki.com> wrote: I'm currently thinking about this... XSS is really ennoying :)... but we fear about the JSX extension but is there any security against JS injection in any Wiki page ? At least, JSX could be used as a kind of firewall... imagine we create some JSX configuration parameters such as "Allowed JSX external URLs"... (this is just an idea :) )... Then when you call $jsx.use(externalurl), it is rendered by the JSX extension which would verify the URL is allowed and if not would generate an error...

> Jerome. > > Jerome Velociter wrote: >> I'm now thinking about another possibility : letting the actual >> extensions (documents with JavaScriptExtensions objects) letting declare >> their libraries dependencies. We could create a new class for this, >> which would have the path (absolute in case the file is distant, or name >> of the file if it's on the FS) as a property. This way an extension can >> declare as many deps as it needs. >> >> This is not necessary incompatible with the proposition below, we could >> have both. >> >> Jerome. >> >> Jerome Velociter wrote: >>> Hello, >>> >>> Following the open question #1 here >>> http://dev.xwiki.org/xwiki/bin/view/Design/SkinExtensions#HUsage >>> >>> " >>> Open question 1: Should $jsx.useFile("filename.js") work for files >>> located on the disk? This allows the same pull process to be used with >>> files located in the skin, without requiring SX documents and objects. >>> I'd say yes. Then, what should the URL look like? >>> /xwiki/bin/jsx/skins/albatross/somestyle.css is OK? >>> " >>> >>> I would like to propose to go even further, and to allow injection of >>> script tags referring libraries on the cloud or on a different server >>> using the jsx plugin. This would allow to not have users writing scripts >>> tags in the body of the document to add a library. >>> >>> I would see something like : >>> >>> $jsx.use("http://maps.google.com/maps?file=api&v=2&key=XXX") >>> >>> or >>> >>> $jsx.useFile("http://maps.google.com/maps?file=api&v=2&key=XXX") >>> >>> What do you think ? >>> >>> Regards, >>> Jerome.