2008/6/2 Florent Daigni?re <nextgens at freenetproject.org>: > * Daniel Cheng <j16sdiz+freenet at gmail.com> [2008-06-01 23:11:04]: > >> On Sun, Jun 1, 2008 at 5:03 AM, Ahmed MANSOUR <911freak at gmail.com> wrote: >> > Hi, >> > I discovered recently a wiki system called "wiki on the stick" and >> > TiddlyWiki.com, they are both single file wiki system made >> > in JavaScript so they run inside the browser without the need of a >> > webserver or other scripting languages. >> >> er.. FProxy strip out javascripts ... >> >> This is essential for user privacy (until someone come up with a >> custom browser that won't access the internet) >> > > It strips it out because we don't have a javascript filter yet... Maybe > it's a good reason to code one :) >
Is that doable? An attacker can change the .src attribute of a <img> tag pointing to an external site. There are several DOM and non-DOM method for changing that. A whitelist approach will make many Object in javascript non-usable.
