Cool - although I'm not sure I agree about the compatibility problem. I'd suspect that many people don't realize that Roller is allowing this, and there is some chance that the first thing they know about it is when their site gets hacked.
I understand that this isn’t exactly a finance system or something, but none the less - security by default is normally a good approach. If people really do want the ability to post javascript, then perhaps the project should look at integrating Google Caja support? In the meantime, in our installation we are going to sanatize at output time using AntiSammy (http://www.owasp.org/index.php/AntiSamy). That's fairly easy for us to integrate, because we're displaying via SiteMesh decorator already. If someone wanted to commit the patch in https://issues.apache.org/roller/browse/ROL-1703 that would help, though!) Nick -----Original Message----- From: Matt Raible [mailto:[EMAIL PROTECTED] Sent: Thursday, 1 May 2008 10:44 AM To: [email protected] Subject: Re: XSS in Roller I don't see a problem with adding support for it. However, for backwards compatibilities sake, we'd likely have to turn it off by default. Matt On Wed, Apr 30, 2008 at 6:10 PM, Nick Lothian <[EMAIL PROTECTED]> wrote: > But entering Javascript is very different to entering HTML. I understand that > stuff like http://jehiah.cz/archive/xss-stealing-cookies-101 probably won't > be an issue for sites with very strong authentication requirements for blog > ownership, but for most sites it will be a big problem. > > For example, isn't it an issue that anyone can setup a blog on JRoller and > hijack an administrator's session? > > (The HTML - as opposed to javascript - in the title tag is a different and > less serious problem.) > > Nick > > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Thursday, 1 May 2008 9:03 AM > To: [email protected] > Subject: Re: XSS in Roller > > but that's a basic requirement of the tool, that authors be allowed to > enter html into their entries. we call it a "blog" but at the end of > the day it's just a website. > > if you want to prevent your users from entering in javascript because > you don't trust them then you should certainly do that, but it's very > dependent on the actually use case. > > many of the very big and public free blog sites section off each blog > onto its own domain specifically to prevent this as well. i.e. > myblog.wordpress.com. this way even though you can enter in javascript > when authoring your blog, it's confined to your own domain, so you can't > use it to attack anything outside your own blog. this would be another > option if you feel you need greater security. > > -- Allen > > > Nick Lothian wrote: > > Entering something like <script>alert('test')</script> in both the title > and content fields will mean the javascript will be executed when the page > loads. > > > > Given than many Roller setups allow effectively anonymous people to setup > a blog, that seems just as serious as HTML in comments. > > > > (Also, shouldn't all HTML be stripped from the title in all circumstances, > too? At the moment <h1>title</h1> works) > > > > Nick > > > > -----Original Message----- > > From: Matt Raible [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, 30 April 2008 10:07 PM > > To: [email protected] > > Subject: Re: XSS in Roller > > > > What do you mean? Do you have an example of an XSS attack on Roller? I > > believe it's only possible if you allow HTML in comments. And even > > that is sanitized to only allow certain elements. > > > > Matt > > > > On Wed, Apr 30, 2008 at 1:23 AM, Nick Lothian > > <[EMAIL PROTECTED]> wrote: > >> Is there a way to disable XSS attacks via the Roller blog entry form? > >> > >> Apparently later versions of xinha (the HTML editor) have an option to > help with this, but Roller appears to be using a much earlier version. > >> > >> Has anyone looked at this? > >> > >> Nick > >> > >> IMPORTANT: This e-mail, including any attachments, may contain private > or confidential information. If you think you may not be the intended > recipient, or if you have received this e-mail in error, please contact the > sender immediately and delete all copies of this e-mail. If you are not the > intended recipient, you must not reproduce any part of this e-mail or > disclose its contents to any other party. This email represents the views of > the individual sender, which do not necessarily reflect those of education.au > limited except where the sender expressly states otherwise. It is your > responsibility to scan this email and any files transmitted with it for > viruses or any other defects. education.au limited will not be liable for any > loss, damage or consequence caused directly or indirectly by this email. > >> > > > > > > > > -- > > http://raibledesigns.com > > > > IMPORTANT: This e-mail, including any attachments, may contain private or > confidential information. If you think you may not be the intended recipient, > or if you have received this e-mail in error, please contact the sender > immediately and delete all copies of this e-mail. If you are not the intended > recipient, you must not reproduce any part of this e-mail or disclose its > contents to any other party. This email represents the views of the > individual sender, which do not necessarily reflect those of education.au > limited except where the sender expressly states otherwise. It is your > responsibility to scan this email and any files transmitted with it for > viruses or any other defects. education.au limited will not be liable for any > loss, damage or consequence caused directly or indirectly by this email. > > IMPORTANT: This e-mail, including any attachments, may contain private or > confidential information. If you think you may not be the intended recipient, > or if you have received this e-mail in error, please contact the sender > immediately and delete all copies of this e-mail. If you are not the intended > recipient, you must not reproduce any part of this e-mail or disclose its > contents to any other party. This email represents the views of the > individual sender, which do not necessarily reflect those of education.au > limited except where the sender expressly states otherwise. It is your > responsibility to scan this email and any files transmitted with it for > viruses or any other defects. education.au limited will not be liable for any > loss, damage or consequence caused directly or indirectly by this email. > -- http://raibledesigns.com IMPORTANT: This e-mail, including any attachments, may contain private or confidential information. If you think you may not be the intended recipient, or if you have received this e-mail in error, please contact the sender immediately and delete all copies of this e-mail. If you are not the intended recipient, you must not reproduce any part of this e-mail or disclose its contents to any other party. This email represents the views of the individual sender, which do not necessarily reflect those of education.au limited except where the sender expressly states otherwise. It is your responsibility to scan this email and any files transmitted with it for viruses or any other defects. education.au limited will not be liable for any loss, damage or consequence caused directly or indirectly by this email.
