Re: [Jmol-users] Jmol mediawiki extension

[Nicolas V. <nve...@gm...>]

Hi everyone,

I have been quite busy for several months on other matters than Jmol, so I
haven't worked at all on the extension.
I am happy to see people interested in making it work, and bringing it to
Wikipedia.

On the matter of security issues, there are at least 2 things to do :

   - Being able to entirely deactivate the possibility to let arbitrary
   Javascript being called by Jmol. I don't know if there's a way in Jmol to
   disable this. There's a need to completely disable the 'javascript' command
   in Jmol scripts. The problem is demonstrated by
   http://wiki.jmol.org:81/index.php/User:Ilmari_Karonen/JS_injection_demo
   - Ensuring that the extension doesn't allow for true Javascript injection
   (whatever text is entered by someone in the <jmol> tags, this only creates
   Jmol applet and Jmol scripts, nothing else). I think this means ensuring
   that in the generated page, the text is always correctly escaped to prevent
   Javascript injection.

Both things clearly need to be done in order to hope to see Jmol on
Wikipedia : having every editor being able to add arbitrary Javascript that
will be run by everyone viewing a page is a security issue.

The first problem needs first to be answered in the Jmol applet itself. Is
there a way to add an option in the applet construction to remove the
'javascript' command in Jmol scripts ? Bob ?

The second problem nees to be treated in the extension. My knowledge on PHP
and the security issues is limited (and I don't have much time avaiable), so
some help from someone knowing how to deal with the script injection would
be very useful.

Nico