urosm
/
ikiwiki
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'master' of ssh://git.ikiwiki.info/srv/git/ikiwiki.info

master
Joey Hess 2010-03-12 16:44:47 -05:00
parent 0c3f59d33a b5e27e60ba
commit 693a0f1ef2
1 changed files with 33 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
doc/todo/finer_control_over___60__object___47____62__s.mdwn
View File

@ -27,13 +27,43 @@ For Ikiwiki, it may be nice to be able to restrict [URI's][URI] (as required by
[[wishlist]]
> SVG can contain embedded javascript. The spec that you link to contains
> SVG can contain embedded javascript.
>> Indeed.
>> So, a more general tool (`XML::Scrubber`?) will be necessary to
>> refine both [XHTML][] and SVG.
>> … And to leave [MathML][] as is (?.)
>> — [[Ivan_Shmakov]], 2010-03-12Z.
> The spec that you link to contains
> examples of objects that contain python scripts, Microsoft OLE
> objects, and Java. And then there's flash. I don't think ikiwiki can
> assume all the possibilities are handled securely, particularly WRT XSS
> attacks.
> --[[Joey]]
>> I've scanned over all the `object` examples in the specification and
>> all of those that hold references to code (as opposed to data) have a
>> distinguishing `classid` attribute.
>> While I won't assert that it's impossible to reference code with
>> `data` (and, thanks to `text/xhtml+xml` and `image/svg+xml`, it is
>> *not* impossible), throwing away any of the “insecure”
>> attributes listed above together with limiting the possible URI's
>> (i. e., only *local* and certain `data:` ones for `data` and
>> `usemap`) should make `object` almost as harmless as, say, `img`.
>> (Though it certainly won't solve the [[SVG_problem|/todo/SVG]] being
>> restricted in such a way.)
>> Of the remaining issues I could only think of recursive
>> `object` — the one that references its container document.
>> — [[Ivan_Shmakov]], 2010-03-12Z.
## See also
* [Objects, Images, and Applets in HTML documents][objects-html]
@ -43,6 +73,8 @@ For Ikiwiki, it may be nice to be able to restrict [URI's][URI] (as required by
* [Uniform Resource Identifier — the free encyclopedia][URI]
[HTML::Scrubber]: http://search.cpan.org/~podmaster/HTML-Scrubber-0.08/Scrubber.pm
[MathML]: http://en.wikipedia.org/wiki/MathML
[objects-html]: http://www.w3.org/TR/1999/REC-html401-19991224/struct/objects.html
[RFC 2397]: http://tools.ietf.org/html/rfc2397
[URI]: http://en.wikipedia.org/wiki/Uniform_Resource_Identifier
[XHTML]: http://en.wikipedia.org/wiki/XHTML