From: Nicolas V. <nve...@gm...> - 2008-11-30 21:53:33
|
Hi everyone, I have been quite busy for several months on other matters than Jmol, so I haven't worked at all on the extension. I am happy to see people interested in making it work, and bringing it to Wikipedia. On the matter of security issues, there are at least 2 things to do : - Being able to entirely deactivate the possibility to let arbitrary Javascript being called by Jmol. I don't know if there's a way in Jmol to disable this. There's a need to completely disable the 'javascript' command in Jmol scripts. The problem is demonstrated by http://wiki.jmol.org:81/index.php/User:Ilmari_Karonen/JS_injection_demo - Ensuring that the extension doesn't allow for true Javascript injection (whatever text is entered by someone in the <jmol> tags, this only creates Jmol applet and Jmol scripts, nothing else). I think this means ensuring that in the generated page, the text is always correctly escaped to prevent Javascript injection. Both things clearly need to be done in order to hope to see Jmol on Wikipedia : having every editor being able to add arbitrary Javascript that will be run by everyone viewing a page is a security issue. The first problem needs first to be answered in the Jmol applet itself. Is there a way to add an option in the applet construction to remove the 'javascript' command in Jmol scripts ? Bob ? The second problem nees to be treated in the extension. My knowledge on PHP and the security issues is limited (and I don't have much time avaiable), so some help from someone knowing how to deal with the script injection would be very useful. Nico |