urosm
/
ikiwiki
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Note that <object /> still may be allowed, although in a form not suitable for, say, SVG inclusion.

master
http://oneingray.myopenid.com/ 2010-03-12 21:24:53 +00:00 committed by Joey Hess
parent 08485ec444
commit b5e27e60ba
1 changed files with 33 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
doc/todo/finer_control_over___60__object___47____62__s.mdwn
View File

@ -27,13 +27,43 @@ For Ikiwiki, it may be nice to be able to restrict [URI's][URI] (as required by
[[wishlist]] [[wishlist]]
> SVG can contain embedded javascript. The spec that you link to contains > SVG can contain embedded javascript.
>> Indeed.
>> So, a more general tool (`XML::Scrubber`?) will be necessary to
>> refine both [XHTML][] and SVG.
>> &hellip; And to leave [MathML][] as is (?.)
>> &mdash;&nbsp;[[Ivan_Shmakov]], 2010-03-12Z.
> The spec that you link to contains
> examples of objects that contain python scripts, Microsoft OLE > examples of objects that contain python scripts, Microsoft OLE
> objects, and Java. And then there's flash. I don't think ikiwiki can > objects, and Java. And then there's flash. I don't think ikiwiki can
> assume all the possibilities are handled securely, particularly WRT XSS > assume all the possibilities are handled securely, particularly WRT XSS
> attacks. > attacks.
> --[[Joey]] > --[[Joey]]
>> I've scanned over all the `object` examples in the specification and
>> all of those that hold references to code (as opposed to data) have a
>> distinguishing `classid` attribute.
>> While I won't assert that it's impossible to reference code with
>> `data` (and, thanks to `text/xhtml+xml` and `image/svg+xml`, it is
>> *not* impossible), throwing away any of the &ldquo;insecure&rdquo;
>> attributes listed above together with limiting the possible URI's
>> (i.&nbsp;e., only *local* and certain `data:` ones for `data` and
>> `usemap`) should make `object` almost as harmless as, say, `img`.
>> (Though it certainly won't solve the [[SVG_problem|/todo/SVG]] being
>> restricted in such a way.)
>> Of the remaining issues I could only think of recursive
>> `object` &mdash; the one that references its container document.
>> &mdash;&nbsp;[[Ivan_Shmakov]], 2010-03-12Z.
## See also ## See also
* [Objects, Images, and Applets in HTML documents][objects-html] * [Objects, Images, and Applets in HTML documents][objects-html]
@ -43,6 +73,8 @@ For Ikiwiki, it may be nice to be able to restrict [URI's][URI] (as required by
* [Uniform Resource Identifier &mdash; the free encyclopedia][URI] * [Uniform Resource Identifier &mdash; the free encyclopedia][URI]
[HTML::Scrubber]: http://search.cpan.org/~podmaster/HTML-Scrubber-0.08/Scrubber.pm [HTML::Scrubber]: http://search.cpan.org/~podmaster/HTML-Scrubber-0.08/Scrubber.pm
[MathML]: http://en.wikipedia.org/wiki/MathML
[objects-html]: http://www.w3.org/TR/1999/REC-html401-19991224/struct/objects.html [objects-html]: http://www.w3.org/TR/1999/REC-html401-19991224/struct/objects.html
[RFC 2397]: http://tools.ietf.org/html/rfc2397 [RFC 2397]: http://tools.ietf.org/html/rfc2397
[URI]: http://en.wikipedia.org/wiki/Uniform_Resource_Identifier [URI]: http://en.wikipedia.org/wiki/Uniform_Resource_Identifier
[XHTML]: http://en.wikipedia.org/wiki/XHTML