but that's a basic requirement of the tool, that authors be allowed to
enter html into their entries. we call it a "blog" but at the end of
the day it's just a website.
if you want to prevent your users from entering in javascript because
you don't trust them then you should certainly do that, but it's very
dependent on the actually use case.
many of the very big and public free blog sites section off each blog
onto its own domain specifically to prevent this as well. i.e.
myblog.wordpress.com. this way even though you can enter in javascript
when authoring your blog, it's confined to your own domain, so you can't
use it to attack anything outside your own blog. this would be another
option if you feel you need greater security.
-- Allen
Nick Lothian wrote:
Entering something like <script>alert('test')</script> in both the title and
content fields will mean the javascript will be executed when the page loads.
Given than many Roller setups allow effectively anonymous people to setup a
blog, that seems just as serious as HTML in comments.
(Also, shouldn't all HTML be stripped from the title in all circumstances, too? At the
moment <h1>title</h1> works)
Nick
-----Original Message-----
From: Matt Raible [mailto:[EMAIL PROTECTED]
Sent: Wednesday, 30 April 2008 10:07 PM
To: [email protected]
Subject: Re: XSS in Roller
What do you mean? Do you have an example of an XSS attack on Roller? I
believe it's only possible if you allow HTML in comments. And even
that is sanitized to only allow certain elements.
Matt
On Wed, Apr 30, 2008 at 1:23 AM, Nick Lothian
<[EMAIL PROTECTED]> wrote:
Is there a way to disable XSS attacks via the Roller blog entry form?
Apparently later versions of xinha (the HTML editor) have an option to help
with this, but Roller appears to be using a much earlier version.
Has anyone looked at this?
Nick
IMPORTANT: This e-mail, including any attachments, may contain private or
confidential information. If you think you may not be the intended recipient,
or if you have received this e-mail in error, please contact the sender
immediately and delete all copies of this e-mail. If you are not the intended
recipient, you must not reproduce any part of this e-mail or disclose its
contents to any other party. This email represents the views of the individual
sender, which do not necessarily reflect those of education.au limited except
where the sender expressly states otherwise. It is your responsibility to scan
this email and any files transmitted with it for viruses or any other defects.
education.au limited will not be liable for any loss, damage or consequence
caused directly or indirectly by this email.
--
http://raibledesigns.com
IMPORTANT: This e-mail, including any attachments, may contain private or
confidential information. If you think you may not be the intended recipient,
or if you have received this e-mail in error, please contact the sender
immediately and delete all copies of this e-mail. If you are not the intended
recipient, you must not reproduce any part of this e-mail or disclose its
contents to any other party. This email represents the views of the individual
sender, which do not necessarily reflect those of education.au limited except
where the sender expressly states otherwise. It is your responsibility to scan
this email and any files transmitted with it for viruses or any other defects.
education.au limited will not be liable for any loss, damage or consequence
caused directly or indirectly by this email.
