Pascal Voitot wrote:
see below
On Mon, Nov 3, 2008 at 8:44 AM, Jerome Velociter <[email protected]> wrote:
Sergiu pointed to me this had already been discussed in this thread : http://markmail.org/message/nirue2ug5ahbsy5b
I agree the security concerns are not very simple to deal with if we want to do this.
I'm currently thinking about this... XSS is really ennoying :)... but we fear about the JSX extension but is there any security against JS injection in any Wiki page ?
At least, JSX could be used as a kind of firewall... imagine we create some JSX configuration parameters such as "Allowed JSX external URLs"... (this is just an idea :) )... Then when you call $jsx.use(externalurl), it is rendered by the JSX extension which would verify the URL is allowed and if not would generate an error...
Yes, we should forbid <script> tags inside the content, and only allow jsx calls.
Jerome.
Jerome Velociter wrote:
I'm now thinking about another possibility : letting the actual extensions (documents with JavaScriptExtensions objects) letting declare their libraries dependencies. We could create a new class for this, which would have the path (absolute in case the file is distant, or name of the file if it's on the FS) as a property. This way an extension can declare as many deps as it needs.
This is not necessary incompatible with the proposition below, we could have both.
Jerome.
Jerome Velociter wrote:
Hello,
Following the open question #1 here http://dev.xwiki.org/xwiki/bin/view/Design/SkinExtensions#HUsage
" Open question 1: Should $jsx.useFile("filename.js") work for files located on the disk? This allows the same pull process to be used with files located in the skin, without requiring SX documents and objects. I'd say yes. Then, what should the URL look like? /xwiki/bin/jsx/skins/albatross/somestyle.css is OK? "
I would like to propose to go even further, and to allow injection of script tags referring libraries on the cloud or on a different server using the jsx plugin. This would allow to not have users writing scripts tags in the body of the document to add a library.
I would see something like :
$jsx.use("http://maps.google.com/maps?file=api&v=2&key=XXX")
or
$jsx.useFile("http://maps.google.com/maps?file=api&v=2&key=XXX")
What do you think ?
Regards, Jerome.
-- Sergiu Dumitriu http://purl.org/net/sergiu/