Matthew Toseland wrote: > On Monday 02 June 2008 15:19, Daniel Cheng wrote: >> 2008/6/2 Florent Daigni?re <nextgens at freenetproject.org>: >>> * Daniel Cheng <j16sdiz+freenet at gmail.com> [2008-06-01 23:11:04]: >>> >>>> On Sun, Jun 1, 2008 at 5:03 AM, Ahmed MANSOUR <911freak at gmail.com> >>>> wrote: >>>>> Hi, >>>>> I discovered recently a wiki system called "wiki on the stick" and >>>>> TiddlyWiki.com, they are both single file wiki system made >>>>> in JavaScript so they run inside the browser without the need of a >>>>> webserver or other scripting languages. >>>> er.. FProxy strip out javascripts ... >>>> >>>> This is essential for user privacy (until someone come up with a >>>> custom browser that won't access the internet) >>>> >>> It strips it out because we don't have a javascript filter yet... Maybe >>> it's a good reason to code one :) >>> >> Is that doable? >> An attacker can change the .src attribute of a <img> tag pointing to >> an external site. >> There are several DOM and non-DOM method for changing that. A >> whitelist approach will make many Object in javascript non-usable. > > It IS feasible IMHO, however it would be a pretty big project. It would > likely > require modifying the javascript to introduce run time type analysis, as well > as providing sanitised versions of various setters and so on... > > > ------------------------------------------------------------------------ > > _______________________________________________ > Tech mailing list > Tech at freenetproject.org > http://emu.freenetproject.org/cgi-bin/mailman/listinfo/tech
I know Jeremy (who coded Tiddlywiki) a little bit and wouldn't be surprised if he'd be interested in contributing towards this. By all means send him a an email and ask
