5 Nov
2008
5 Nov
'08
3 a.m.
see below
On Mon, Nov 3, 2008 at 8:44 AM, Jerome Velociter <jerome(a)xwiki.com> wrote:
Sergiu pointed to me this had already been discussed
in this thread :
http://markmail.org/message/nirue2ug5ahbsy5b
I agree the security concerns are not very simple to deal with if we
want to do this.
I'm currently thinking about this...
XSS is really ennoying :)...
but we fear about the JSX extension but is there any security against JS
injection in any Wiki page ?
At least, JSX could be used as a kind of firewall...
imagine we create some JSX configuration parameters such as "Allowed JSX
external URLs"... (this is just an idea :) )...
Then when you call $jsx.use(externalurl), it is rendered by the JSX
extension which would verify the URL is allowed and if not would generate an
error...
PAscal
Jerome.
Jerome Velociter wrote:
I'm now thinking about another possibility :
letting the actual
extensions (documents with JavaScriptExtensions objects) letting declare
their libraries dependencies. We could create a new class for this,
which would have the path (absolute in case the file is distant, or name
of the file if it's on the FS) as a property. This way an extension can
declare as many deps as it needs.
This is not necessary incompatible with the proposition below, we could
have both.
Jerome.
Jerome Velociter wrote:
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
Hello,
Following the open question #1 here
http://dev.xwiki.org/xwiki/bin/view/Design/SkinExtensions#HUsage
"
Open question 1: Should $jsx.useFile("filename.js") work for files
located on the disk? This allows the same pull process to be used with
files located in the skin, without requiring SX documents and objects.
I'd say yes. Then, what should the URL look like?
/xwiki/bin/jsx/skins/albatross/somestyle.css is OK?
"
I would like to propose to go even further, and to allow injection of
script tags referring libraries on the cloud or on a different server
using the jsx plugin. This would allow to not have users writing scripts
tags in the body of the document to add a library.
I would see something like :
$jsx.use("http://maps.google.com/maps?file=api&v=2&key=XXX")
or
$jsx.useFile("http://maps.google.com/maps?file=api&v=2&key=XXX")
What do you think ?
Regards,
Jerome.
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs