incubator-jspwiki-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Murray Altheim <murra...@altheim.com>
Subject Re: aliases?
Date Thu, 03 Jul 2008 02:56:00 GMT
Andrew Jaquith wrote:
> Bob, Murray and all --
> 
> While the TiddlyWiki plugin sounds like it is very convenient for users, 
> I don't see something like this being part of JSPWiki unless the 
> functionality is carefully constrained. In particular, the capability to 
> specify external URLs has "cross site scripting" written all over it. 
> ACLs would not be the answer, either -- you'd want to create a custom 
> Permission type for it, and have the right to use it enshrined in the 
> security policy.

Andrew,

Wouldn't a simple solution to that be to filter for URLs and have the
alias declaration fail upon finding any? Similarly, any XML/HTML markup?

E.g., if the alias string contains "<", ">", "&" or "://" we kill it.

Murray

...........................................................................
Murray Altheim <murray07 at altheim.com>                           ===  = =
http://www.altheim.com/murray/                                     = =  ===
SGML Grease Monkey, Banjo Player, Wantanabe Zen Monk               = =  = =

       Boundless wind and moon - the eye within eyes,
       Inexhaustible heaven and earth - the light beyond light,
       The willow dark, the flower bright - ten thousand houses,
       Knock at any door - there's one who will respond.
                                       -- The Blue Cliff Record

Mime
View raw message