subject:"\[dspace\-tech\] XMLUI\/Mirage 2\: Community\/Collection description as security issue"

Re: [dspace-tech] XMLUI/Mirage 2: Community/Collection description as security issue

2020-06-01 Thread Paul Münch

Hi Bram,
Hi Pascal,

thanks for your replies and you both are absolutely right. In our repository 
with open access publications we have a heavy use of this feature and there are 
only a few administrators. So this is ok and we know who they are.

On the other side there are for example research data repositories in which 
each institute or research group has its own collections with (maybe) varying 
administrators. It would be hard to monitor each description text.

To make it configurable would be a great feature. But until an full 
implementation it is useful for me to know, how I can avoid the rendering.

Kind regards,
Paul

> Am 27.05.2020 um 16:03 schrieb Pascal-Nicolas Becker 
> :
> 
> Hi Paul,
> 
> this issue was discussed several times. Community/Collection descriptions can 
> be edited by repository administrators and Community/Collection 
> administrators only. We always said that those are trusted. Of course you can 
> argue, that they could make mistakes even if they don’t want to, but it would 
> be very hard to create a system that actively protects administrators from 
> making any mistake.
> 
> If we still feel the urge to change this, I would recommend to make it 
> configurable, to allow the old behavior.
> 
> Best regards,
>  Pascal
> 
>> Am 27.05.2020 um 14:54 schrieb Bram Luyten :
>> 
>> Hi Paul,
>> 
>> I definitely agree that it is a potential security risk and that people 
>> editing community and collection pages have to watch out what they are 
>> doing. 
>> However, the ability to get script tags executed on those pages makes some 
>> integrations relatively light weight.
>> 
>> One example are the Twitter badges you can configure via 
>> https://publish.twitter.com/
>> Copy paste the resulting script tag in your collection or community 
>> description and the tweets are immediately there: 
>> https://newdemo.openrepository.com/handle/2384/582855
>> 
>> Maybe it would make sense to allow or disallow either the entry of such code 
>> into the description fields, or the rendering, based on a repository wide 
>> on-off switch?
>> 
>> with kindest regards,
>> 
>> Bram
>> 
>>  Bram Luyten
>> 250-B Suite 3A, Lucius Gordon Drive, West Henrietta, NY 14586
>> Gaston Geenslaan 14, 3001 Leuven, Belgium
>> DSpace Express Hosting - Open Repository Hosting - Custom DSpace Services
>> 
>> 
>> On Wed, 27 May 2020 at 11:17, Paul Münch  
>> wrote:
>> Hello Mark,
>> 
>> thanks for the reply. I checked the SimpleHTMLFragment.java, but it
>> isn't used in the community or collection UI. I guess that it's a XSLT
>> problem.
>> 
>> HTML-code snippets in the community or collection description fields are
>> interpreted, but not on the item page. The only difference I see is that
>> in item-view.xsl the function xsl:value-of is used instead of
>> xsl:copy-of in community-view.xsl or collection-view.xsl. I update
>> xsl:copy-of to xsl:value-of but nothing changed.
>> 
>> I like the feature it self but try to avoid users to add script-tags in
>> description texts.
>> 
>> Kind regards,
>> 
>> Paul Münch
>> 
>> Am 19.05.20 um 14:56 schrieb Mark H. Wood:
>>> On Tue, May 19, 2020 at 08:09:07AM +0200, Paul Münch wrote:
 unfortunately it is possible to add some executable scripts in the 
 description metadata of communities and collections. Even if someone don’t 
 plan evil things, inexperienced community or collection admins could do 
 some damage. 
 
 Do you have a solution or a workaround for this? I've looked for the code 
 snippet which execute the HTML code but didn’t find anything. 
>>> Have you looked at 
>>> dspace-xmlui/src/main/java/org/dspace/app/xmlui/wing/element/SimpleHTMLFragment.java?
>>> 
>> 
>> -- 
>> All messages to this mailing list should adhere to the DuraSpace Code of 
>> Conduct: https://duraspace.org/about/policies/code-of-conduct/
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "DSpace Technical Support" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to dspace-tech+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/dspace-tech/cf549c62-255b-0010-45b3-8e1a94b4c978%40staff.uni-marburg.de.
>> 
>> -- 
>> All messages to this mailing list should adhere to the DuraSpace Code of 
>> Conduct: https://duraspace.org/about/policies/code-of-conduct/
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "DSpace Technical Support" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to dspace-tech+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/dspace-tech/CACwo3X2q%2BrLP8ZPODaRLKv5cD_YMruTqMWCMEBZ2AFdJeqcg6g%40mail.gmail.com.
> 
> --  
> The Library Code GmbH
> Pascal-Nicolas Becker
> 
> Reichsstr. 18
> 14052 Berlin
> Germany
> 
> pas...@the-library-code.de
> Tel.: +49 30 51 30 48 35

Re: [dspace-tech] XMLUI/Mirage 2: Community/Collection description as security issue

2020-05-27 Thread Pascal-Nicolas Becker

Hi Paul,

this issue was discussed several times. Community/Collection descriptions can 
be edited by repository administrators and Community/Collection administrators 
only. We always said that those are trusted. Of course you can argue, that they 
could make mistakes even if they don’t want to, but it would be very hard to 
create a system that actively protects administrators from making any mistake.

If we still feel the urge to change this, I would recommend to make it 
configurable, to allow the old behavior.

Best regards,
  Pascal

> Am 27.05.2020 um 14:54 schrieb Bram Luyten :
> 
> Hi Paul,
> 
> I definitely agree that it is a potential security risk and that people 
> editing community and collection pages have to watch out what they are doing. 
> However, the ability to get script tags executed on those pages makes some 
> integrations relatively light weight.
> 
> One example are the Twitter badges you can configure via 
> https://publish.twitter.com/
> Copy paste the resulting script tag in your collection or community 
> description and the tweets are immediately there: 
> https://newdemo.openrepository.com/handle/2384/582855
> 
> Maybe it would make sense to allow or disallow either the entry of such code 
> into the description fields, or the rendering, based on a repository wide 
> on-off switch?
> 
> with kindest regards,
> 
> Bram
> 
>   Bram Luyten
> 250-B Suite 3A, Lucius Gordon Drive, West Henrietta, NY 14586
> Gaston Geenslaan 14, 3001 Leuven, Belgium
> DSpace Express Hosting - Open Repository Hosting - Custom DSpace Services
> 
> 
> On Wed, 27 May 2020 at 11:17, Paul Münch  wrote:
> Hello Mark,
> 
> thanks for the reply. I checked the SimpleHTMLFragment.java, but it
> isn't used in the community or collection UI. I guess that it's a XSLT
> problem.
> 
> HTML-code snippets in the community or collection description fields are
> interpreted, but not on the item page. The only difference I see is that
> in item-view.xsl the function xsl:value-of is used instead of
> xsl:copy-of in community-view.xsl or collection-view.xsl. I update
> xsl:copy-of to xsl:value-of but nothing changed.
> 
> I like the feature it self but try to avoid users to add script-tags in
> description texts.
> 
> Kind regards,
> 
> Paul Münch
> 
> Am 19.05.20 um 14:56 schrieb Mark H. Wood:
> > On Tue, May 19, 2020 at 08:09:07AM +0200, Paul Münch wrote:
> >> unfortunately it is possible to add some executable scripts in the 
> >> description metadata of communities and collections. Even if someone don’t 
> >> plan evil things, inexperienced community or collection admins could do 
> >> some damage. 
> >>
> >> Do you have a solution or a workaround for this? I've looked for the code 
> >> snippet which execute the HTML code but didn’t find anything. 
> > Have you looked at 
> > dspace-xmlui/src/main/java/org/dspace/app/xmlui/wing/element/SimpleHTMLFragment.java?
> >
> 
> -- 
> All messages to this mailing list should adhere to the DuraSpace Code of 
> Conduct: https://duraspace.org/about/policies/code-of-conduct/
> --- 
> You received this message because you are subscribed to the Google Groups 
> "DSpace Technical Support" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to dspace-tech+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/dspace-tech/cf549c62-255b-0010-45b3-8e1a94b4c978%40staff.uni-marburg.de.
> 
> -- 
> All messages to this mailing list should adhere to the DuraSpace Code of 
> Conduct: https://duraspace.org/about/policies/code-of-conduct/
> --- 
> You received this message because you are subscribed to the Google Groups 
> "DSpace Technical Support" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to dspace-tech+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/dspace-tech/CACwo3X2q%2BrLP8ZPODaRLKv5cD_YMruTqMWCMEBZ2AFdJeqcg6g%40mail.gmail.com.

--  
The Library Code GmbH
Pascal-Nicolas Becker

Reichsstr. 18
14052 Berlin
Germany

pas...@the-library-code.de
Tel.: +49 30 51 30 48 35
https://www.the-library-code.de

Geschäftsführer: Pascal-Nicolas Becker
Amtsgericht Charlottenburg, HRB 186457 B
USt-IdNr.: DE311762726

-- 
All messages to this mailing list should adhere to the DuraSpace Code of 
Conduct: https://duraspace.org/about/policies/code-of-conduct/
--- 
You received this message because you are subscribed to the Google Groups 
"DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to dspace-tech+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/dspace-tech/68EFFBB9-D002-4956-8A7F-510047F794A9%40the-library-code.de.

Re: [dspace-tech] XMLUI/Mirage 2: Community/Collection description as security issue

2020-05-27 Thread Bram Luyten

Hi Paul,

I definitely agree that it is a potential security risk and that people
editing community and collection pages have to watch out what they are
doing.
However, the ability to get script tags executed on those pages makes some
integrations relatively light weight.

One example are the Twitter badges you can configure via
https://publish.twitter.com/
Copy paste the resulting script tag in your collection or community
description and the tweets are immediately there:
https://newdemo.openrepository.com/handle/2384/582855

Maybe it would make sense to allow or disallow either the entry of such
code into the description fields, or the rendering, based on a repository
wide on-off switch?

with kindest regards,

Bram

[image: logo] Bram Luyten
250-B Suite 3A, Lucius Gordon Drive, West Henrietta, NY 14586
Gaston Geenslaan 14, 3001 Leuven, Belgium
DSpace Express Hosting

 - Open Repository Hosting

 - Custom DSpace Services



On Wed, 27 May 2020 at 11:17, Paul Münch 
wrote:

> Hello Mark,
>
> thanks for the reply. I checked the SimpleHTMLFragment.java, but it
> isn't used in the community or collection UI. I guess that it's a XSLT
> problem.
>
> HTML-code snippets in the community or collection description fields are
> interpreted, but not on the item page. The only difference I see is that
> in item-view.xsl the function xsl:value-of is used instead of
> xsl:copy-of in community-view.xsl or collection-view.xsl. I update
> xsl:copy-of to xsl:value-of but nothing changed.
>
> I like the feature it self but try to avoid users to add script-tags in
> description texts.
>
> Kind regards,
>
> Paul Münch
>
> Am 19.05.20 um 14:56 schrieb Mark H. Wood:
> > On Tue, May 19, 2020 at 08:09:07AM +0200, Paul Münch wrote:
> >> unfortunately it is possible to add some executable scripts in the
> description metadata of communities and collections. Even if someone don’t
> plan evil things, inexperienced community or collection admins could do
> some damage.
> >>
> >> Do you have a solution or a workaround for this? I've looked for the
> code snippet which execute the HTML code but didn’t find anything.
> > Have you looked at
> dspace-xmlui/src/main/java/org/dspace/app/xmlui/wing/element/SimpleHTMLFragment.java?
> >
>
> --
> All messages to this mailing list should adhere to the DuraSpace Code of
> Conduct: https://duraspace.org/about/policies/code-of-conduct/
> ---
> You received this message because you are subscribed to the Google Groups
> "DSpace Technical Support" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to dspace-tech+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/dspace-tech/cf549c62-255b-0010-45b3-8e1a94b4c978%40staff.uni-marburg.de
> .
>

-- 
All messages to this mailing list should adhere to the DuraSpace Code of 
Conduct: https://duraspace.org/about/policies/code-of-conduct/
--- 
You received this message because you are subscribed to the Google Groups 
"DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to dspace-tech+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/dspace-tech/CACwo3X2q%2BrLP8ZPODaRLKv5cD_YMruTqMWCMEBZ2AFdJeqcg6g%40mail.gmail.com.

Re: [dspace-tech] XMLUI/Mirage 2: Community/Collection description as security issue

2020-05-27 Thread Paul Münch

Hello Mark,

thanks for the reply. I checked the SimpleHTMLFragment.java, but it
isn't used in the community or collection UI. I guess that it's a XSLT
problem.

HTML-code snippets in the community or collection description fields are
interpreted, but not on the item page. The only difference I see is that
in item-view.xsl the function xsl:value-of is used instead of
xsl:copy-of in community-view.xsl or collection-view.xsl. I update
xsl:copy-of to xsl:value-of but nothing changed.

I like the feature it self but try to avoid users to add script-tags in
description texts.

Kind regards,

Paul Münch

Am 19.05.20 um 14:56 schrieb Mark H. Wood:
> On Tue, May 19, 2020 at 08:09:07AM +0200, Paul Münch wrote:
>> unfortunately it is possible to add some executable scripts in the 
>> description metadata of communities and collections. Even if someone don’t 
>> plan evil things, inexperienced community or collection admins could do some 
>> damage. 
>>
>> Do you have a solution or a workaround for this? I've looked for the code 
>> snippet which execute the HTML code but didn’t find anything. 
> Have you looked at 
> dspace-xmlui/src/main/java/org/dspace/app/xmlui/wing/element/SimpleHTMLFragment.java?
>

-- 
All messages to this mailing list should adhere to the DuraSpace Code of 
Conduct: https://duraspace.org/about/policies/code-of-conduct/
--- 
You received this message because you are subscribed to the Google Groups 
"DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to dspace-tech+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/dspace-tech/cf549c62-255b-0010-45b3-8e1a94b4c978%40staff.uni-marburg.de.

Re: [dspace-tech] XMLUI/Mirage 2: Community/Collection description as security issue

2020-05-19 Thread Mark H. Wood

On Tue, May 19, 2020 at 08:09:07AM +0200, Paul Münch wrote:
> unfortunately it is possible to add some executable scripts in the 
> description metadata of communities and collections. Even if someone don’t 
> plan evil things, inexperienced community or collection admins could do some 
> damage. 
> 
> Do you have a solution or a workaround for this? I've looked for the code 
> snippet which execute the HTML code but didn’t find anything. 

Have you looked at 
dspace-xmlui/src/main/java/org/dspace/app/xmlui/wing/element/SimpleHTMLFragment.java?

-- 
Mark H. Wood
Lead Technology Analyst

University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu

-- 
All messages to this mailing list should adhere to the DuraSpace Code of 
Conduct: https://duraspace.org/about/policies/code-of-conduct/
--- 
You received this message because you are subscribed to the Google Groups 
"DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to dspace-tech+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/dspace-tech/20200519125655.GA23161%40IUPUI.Edu.


smime.p7s
Description: S/MIME cryptographic signature

[dspace-tech] XMLUI/Mirage 2: Community/Collection description as security issue

2020-05-18 Thread Paul Münch

Hello, 

unfortunately it is possible to add some executable scripts in the description 
metadata of communities and collections. Even if someone don’t plan evil 
things, inexperienced community or collection admins could do some damage. 

Do you have a solution or a workaround for this? I've looked for the code 
snippet which execute the HTML code but didn’t find anything. 

Many thanks in advance and kind regards, 

Paul Münch

-- 
All messages to this mailing list should adhere to the DuraSpace Code of 
Conduct: https://duraspace.org/about/policies/code-of-conduct/
--- 
You received this message because you are subscribed to the Google Groups 
"DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to dspace-tech+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/dspace-tech/ACAF63AA-978C-4983-B948-0BE6D162E8EC%40staff.uni-marburg.de.


smime.p7s
Description: S/MIME cryptographic signature

[dspace-tech] XMLUI/Mirage 2: Community/Collection description as security issue

2020-05-18 Thread Paul Münch

Hello,

unfortunately it is possible to add some executable scripts in the description 
metadata of communities and collections. Even if someone don’t plan evil 
things, inexperienced community or collection admins could do some damage.

Do you have a solution or a workaround for this? I've looked for the code 
snippet which execute the HTML code but didn’t find anything.

Many thanks in advance and kind regards,

Paul Münch

-- 
All messages to this mailing list should adhere to the DuraSpace Code of 
Conduct: https://duraspace.org/about/policies/code-of-conduct/
--- 
You received this message because you are subscribed to the Google Groups 
"DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to dspace-tech+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/dspace-tech/34EFEFF6-CB39-4FCE-B6D3-F10871A4509B%40staff.uni-marburg.de.


smime.p7s
Description: S/MIME cryptographic signature

Re: [dspace-tech] XMLUI/Mirage 2: Community/Collection description as security issue

Re: [dspace-tech] XMLUI/Mirage 2: Community/Collection description as security issue

Re: [dspace-tech] XMLUI/Mirage 2: Community/Collection description as security issue

Re: [dspace-tech] XMLUI/Mirage 2: Community/Collection description as security issue

Re: [dspace-tech] XMLUI/Mirage 2: Community/Collection description as security issue

[dspace-tech] XMLUI/Mirage 2: Community/Collection description as security issue

[dspace-tech] XMLUI/Mirage 2: Community/Collection description as security issue

7 matches

Site Navigation

Mail list logo

Footer information