On Monday 02 June 2008 15:19, Daniel Cheng wrote: > 2008/6/2 Florent Daigni?re <nextgens at freenetproject.org>: > > * Daniel Cheng <j16sdiz+freenet at gmail.com> [2008-06-01 23:11:04]: > > > >> On Sun, Jun 1, 2008 at 5:03 AM, Ahmed MANSOUR <911freak at gmail.com> > >> wrote: > >> > Hi, > >> > I discovered recently a wiki system called "wiki on the stick" and > >> > TiddlyWiki.com, they are both single file wiki system made > >> > in JavaScript so they run inside the browser without the need of a > >> > webserver or other scripting languages. > >> > >> er.. FProxy strip out javascripts ... > >> > >> This is essential for user privacy (until someone come up with a > >> custom browser that won't access the internet) > >> > > > > It strips it out because we don't have a javascript filter yet... Maybe > > it's a good reason to code one :) > > > > Is that doable? > An attacker can change the .src attribute of a <img> tag pointing to > an external site. > There are several DOM and non-DOM method for changing that. A > whitelist approach will make many Object in javascript non-usable.
It IS feasible IMHO, however it would be a pretty big project. It would likely require modifying the javascript to introduce run time type analysis, as well as providing sanitised versions of various setters and so on... -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: <https://emu.freenetproject.org/pipermail/tech/attachments/20080603/8de40c6e/attachment.pgp>
