On Tue, Dec 09, 2008 at 02:03:17PM +0100, Nicolas Vervelle wrote:
> Hi,
>
>
> On Tue, Dec 9, 2008 at 1:21 PM, Angel Herraez <[EMAIL PROTECTED]> wrote:
>
> > I'd like to keep this discussion going, so here is a little bit more,
> > picking up on the possibilities to have Jmol supported in Wikipedia
> > and other Wikis:
> >
> >
> > On 30 Nov 2008 22:53, Nicolas Vervelle wrote:
> > >
> > > On the matter of security issues, there are at least 2 things to do :
> > > * Being able to entirely deactivate the possibility to let arbitrary
> > > Javascript being called by Jmol. I don't know if there's a way in
> > > Jmol to disable this. There's a need to completely disable the
> > > 'javascript' command in Jmol scripts. The problem is demonstrated by
> > >
> > http://wiki.jmol.org:81/index.php/User:Ilmari_Karonen/JS_injection_dem
> > > o
> >
> > Do we still need this? (see below)
> >
> >
> > > * Ensuring that the extension doesn't allow for true Javascript
> > > injection (whatever text is entered by someone in the <jmol>tags,
> > > this only creates Jmol applet and Jmol scripts, nothing else). I
> > > think this means ensuring that in the generated page, the text is
> > > always correctly escaped to prevent Javascript injection.
> >
> > This is implemented in the last update.
> >
> > > The second problem nees to be treated in the extension. My knowledge
> > > on PHP and the security issues is limited (and I don't have much time
> > > avaiable), so some help from someone knowing how to deal with the
> > > script injection would be very useful.
> >
> > The way I've implemented it, any script passed to the Extension
> > (inside the extension's <script> tag) containing the word
> > "javascript" (case-insensitive) will be completely ignored.
> > I gues it can be done so that only the javascript part is removed and
> > the remaining script is preserved, but I don't know so much PHP as to
> > do so. And the idea is that users-editors of wiki pages should not
> > try at all to use javascript in the wiki pages.
>
>
> This approach is interesting but I am not sure it covers all the
> possibilities.
> For example, I think you can still run Javascript with scripts calling other
> scripts :
>
> - Create a wiki page with contents corresponding to a Jmol script with
> Javascript in it.
> - Add a <jmol> tag in a page with a script calling the other script
>
>
>
> > As a side effect, the <text>, <title>, <name>... tags of the
> > extension cannot contain the forbidden word either (they are all
> > parsed via the same function as script is). Not a big sacrifice.
>
>
> Not a problem :)
>
>
> > And on 1 Dec 2008 9:49, Brian Salter-Duke wrote:
> > > The
> > > mediawiki code would need changing anyway to allow use of Jmol files on
> > > Commons as well as wikipedia.
> >
> > This needs further work, but is related to the above config.
> > settings.
>
>
> I am not sure using Jmol files on Commons needs any change.
> I thought that files in the Image namespace in Commons are simply exported
> to other wikis and kept up to date.
I am fairly sure that this is not right. The code looks at Commons first
for the image, and then on the local wiki. I could however be mistaken.
Wikipedia images confuse me.
Brian.
> Nico
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
--
"The PROPER way to handle HTML postings is to cancel the article, then
hire a hitman to kill the poster, his wife and kids, and fuck his dog
and smash his computer into little bits. Anything more is just extremism."
-- Paul Tomblin
Brian Salter-Duke (Brian Duke) Email: b_duke(AT)bigpond(DOT)net(DOT)au
------------------------------------------------------------------------------
SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
The future of the web can't happen without you. Join us at MIX09 to help
pave the way to the Next Web now. Learn more and register at
http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
_______________________________________________
Jmol-users mailing list
Jmol-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jmol-users
