I don't see a problem with adding support for it. However, for backwards compatibilities sake, we'd likely have to turn it off by default.
Matt On Wed, Apr 30, 2008 at 6:10 PM, Nick Lothian <[EMAIL PROTECTED]> wrote: > But entering Javascript is very different to entering HTML. I understand that > stuff like http://jehiah.cz/archive/xss-stealing-cookies-101 probably won't > be an issue for sites with very strong authentication requirements for blog > ownership, but for most sites it will be a big problem. > > For example, isn't it an issue that anyone can setup a blog on JRoller and > hijack an administrator's session? > > (The HTML - as opposed to javascript - in the title tag is a different and > less serious problem.) > > Nick > > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Thursday, 1 May 2008 9:03 AM > To: [email protected] > Subject: Re: XSS in Roller > > but that's a basic requirement of the tool, that authors be allowed to > enter html into their entries. we call it a "blog" but at the end of > the day it's just a website. > > if you want to prevent your users from entering in javascript because > you don't trust them then you should certainly do that, but it's very > dependent on the actually use case. > > many of the very big and public free blog sites section off each blog > onto its own domain specifically to prevent this as well. i.e. > myblog.wordpress.com. this way even though you can enter in javascript > when authoring your blog, it's confined to your own domain, so you can't > use it to attack anything outside your own blog. this would be another > option if you feel you need greater security. > > -- Allen > > > Nick Lothian wrote: > > Entering something like <script>alert('test')</script> in both the title > and content fields will mean the javascript will be executed when the page > loads. > > > > Given than many Roller setups allow effectively anonymous people to setup > a blog, that seems just as serious as HTML in comments. > > > > (Also, shouldn't all HTML be stripped from the title in all circumstances, > too? At the moment <h1>title</h1> works) > > > > Nick > > > > -----Original Message----- > > From: Matt Raible [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, 30 April 2008 10:07 PM > > To: [email protected] > > Subject: Re: XSS in Roller > > > > What do you mean? Do you have an example of an XSS attack on Roller? I > > believe it's only possible if you allow HTML in comments. And even > > that is sanitized to only allow certain elements. > > > > Matt > > > > On Wed, Apr 30, 2008 at 1:23 AM, Nick Lothian > > <[EMAIL PROTECTED]> wrote: > >> Is there a way to disable XSS attacks via the Roller blog entry form? > >> > >> Apparently later versions of xinha (the HTML editor) have an option to > help with this, but Roller appears to be using a much earlier version. > >> > >> Has anyone looked at this? > >> > >> Nick > >> > >> IMPORTANT: This e-mail, including any attachments, may contain private > or confidential information. If you think you may not be the intended > recipient, or if you have received this e-mail in error, please contact the > sender immediately and delete all copies of this e-mail. If you are not the > intended recipient, you must not reproduce any part of this e-mail or > disclose its contents to any other party. This email represents the views of > the individual sender, which do not necessarily reflect those of education.au > limited except where the sender expressly states otherwise. It is your > responsibility to scan this email and any files transmitted with it for > viruses or any other defects. education.au limited will not be liable for any > loss, damage or consequence caused directly or indirectly by this email. > >> > > > > > > > > -- > > http://raibledesigns.com > > > > IMPORTANT: This e-mail, including any attachments, may contain private or > confidential information. If you think you may not be the intended recipient, > or if you have received this e-mail in error, please contact the sender > immediately and delete all copies of this e-mail. If you are not the intended > recipient, you must not reproduce any part of this e-mail or disclose its > contents to any other party. This email represents the views of the > individual sender, which do not necessarily reflect those of education.au > limited except where the sender expressly states otherwise. It is your > responsibility to scan this email and any files transmitted with it for > viruses or any other defects. education.au limited will not be liable for any > loss, damage or consequence caused directly or indirectly by this email. > > IMPORTANT: This e-mail, including any attachments, may contain private or > confidential information. If you think you may not be the intended recipient, > or if you have received this e-mail in error, please contact the sender > immediately and delete all copies of this e-mail. If you are not the intended > recipient, you must not reproduce any part of this e-mail or disclose its > contents to any other party. This email represents the views of the > individual sender, which do not necessarily reflect those of education.au > limited except where the sender expressly states otherwise. It is your > responsibility to scan this email and any files transmitted with it for > viruses or any other defects. education.au limited will not be liable for any > loss, damage or consequence caused directly or indirectly by this email. > -- http://raibledesigns.com
