portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bur...@openprivacy.org (Kevin A. Burton)
Subject Re: Syndication of javascript: urls as a security window?
Date Sat, 02 Mar 2002 02:28:23 GMT
Hash: SHA1

Santiago Gala <sgala@hisitech.com> writes:

> It does not look really awful for Jetspeed as a whole, as we usually get RSS
> channels from OCS feeds, which means that we have some kind of quality
> assurance from third parties. But I agree that we should prevent this
> happening.

Well... most secure systems don't rely on "quality assurance form third
parties" :)

It is a pretty trivial fix.  Just do a

if ( url.startsWith( "javascript:" ) ) {

    //return or throw an exception.


> We should check that dangerous protocols are removed from the channel when we
> create the portlet. Better than this, we should have a list of "innocent"
> protocols to allow in <links>, like http or ftp and refuse to take any URI
> that does not begin with one of those protocols.

Yes... but a lot of more modern systems which are perfectly safe might not
work.  AKA mojo ids, JXTA urns, etc.

Reptile is probably just going to remove support for javascript:

I don't think there is a vbscript: URI notation for IE.  (this javascript URL
is a bad idea)

> This could be done in the NewRSSPortlet.init() and
> JetspeedContentPortlet.init() , at least. Other places?
> Thanks for relaying the info, Kevin

No problem.


- -- 
Kevin A. Burton ( burton@apache.org, burton@openprivacy.org, burtonator@acm.org )
             Location - San Francisco, CA, Cell - 415.595.9965
        Jabber - burtonator@jabber.org,  Web - http://relativity.yi.org/

...the biggest breakthrough in biotechnology since the breakthrough it fixes.
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Get my public key at: http://relativity.yi.org/pgpkey.txt


To unsubscribe, e-mail:   <mailto:jetspeed-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:jetspeed-dev-help@jakarta.apache.org>

View raw message