One of the things we would like to see in Roller 4.0 is the ability for
a blog to be in its own domain.
We have been investigating the XSS vulnerabilities inherent in any site
that allows user submitted content (e.g. themes, blog posts, comments).
Roller is pretty vulnerable at the moment to XSS attacks and placing
each blog in its own domain is one of the first steps necessary to
better mitigate the risks of an attack.
This seems to be a well understood problem and details of what
livejournal had to do is here http://news.livejournal.com/90556.html and
here
http://www.davidpashley.com/cgi/pyblosxom.cgi/computing/livejournal-mozilla-bug.html.
Could this be considered for roller 4.0. It's pretty significant as
once again the url structure needs to change and it can only really be
achieved in conjunction with apache virtual hosts,
Thanks,
Rob
- feature consideration for roller 4.0 - better XSS protecti... rob
-
