I was building a plan for a flog tool when I realised I had overlooked the Javascript.
>From what I can see the main security issues with javascript are: Code insertion AJAX The eval() function Possibly some of the higher level DOM objects Would this be good as a a summer of code project along with a freesite app as proof of use. On Thu, 2009-03-26 at 18:21 +0000, Matthew Toseland wrote: > On Thursday 26 March 2009 15:26:19 Daniel Cheng wrote: > > On Thu, Mar 26, 2009 at 9:47 PM, M <[email protected]> wrote: > > > I understand that javascript has to be disabled because of the > > > multitude of security holes it could open up. I was wondering if anyone > > > had ever thought about a freenetscript similar to how facebook > > > implemented FBML and FBJS to allow developers lots of scope for > > > functionality whilst stopping phishing attacks. > > > > I did propose something similar in the past. > > But some developers think it is far better to have a JavaScript > parser/filter. > > -- a "good" one, not a "complete" one. . > > [it can not be comepleted, for it is a proven equivalent to the halting > problem] > > Not true. Only a filter which cannot modify code is equivalent to the halting > problem. A filter which can modify code and insert guard functions is quite > feasible: it does not need to know what the long-term behaviour of the code > is, it just needs to know that the function for e.g. HTML insertion will > always be fed through our HTML filtering. Having said that, there are various > subtle attacks which it may not be possible to exclude completely without > some fairly extreme measures (e.g. not allowing scripts to insert). > > Also I don't recall a proposal for a flexible scripting subset, iirc we were > talking about recipes... > > > > > The FreenetScript could be parsed by FProxy and turned into regular > > > javascript with freenet-only links. > _______________________________________________ > Devl mailing list > [email protected] > http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl _______________________________________________ Devl mailing list [email protected] http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
