Menu
▾
▴
#22 Problems with "User Space" slashbox
Hello, I hate to complain but there seems to be
something strange happening with the "User Space"
box. I had it set up with a couple quick access links
to CNN and Penny Arcade, along with an IFRAME that
brought up a local weather forecast from NOAA's site.
This has all worked fine for the last two years, but
just yesterday the IFRAME seemed to disappear. I'm
not sure why; the only reason I can think of is that
it seemed to start after I had gone to my homepage
preferences to add a couple Slashboxes. I hit "Save",
went back to the front page, and I noticed the
weather iframe was gone! I tried adding the tag back
to the user space box, but everytime I hit "Save" the
iframe tag disappears again.
This is really weird; I'd think it might be a
database problem that's causing all the user
slashboxes to blank out, but the <a href> tags are
still there, just as they've always been. Are there
any other reasons that the <iframe> would have been
cut off without the links being affected? Thank you
for your time.
Logged In: YES
user_id=3889
Sorry, but HTML tags usable in User Space have been restricted to forbid javascript. Trolls were socially engineering things to encourage people to put foreign-site Javascript into their User Space, which is a cross-site scripting attack waiting to happen.
When I get time I will review the list of HTML tags that should be allowed in this space, but I will need to look them over for security concerns before I make this change. I'll keep this bug live as a reminder to myself to do this.
Is IFRAME the only tag you need? If there are others let me know. I don't know offhand its security implications, I'll need to check it out.
Logged In: YES
user_id=485457
Thank you for the reply, jamiemccarthy. This is the first
I've heard of any such problems, and while I'm glad you
are trying to fix it, I'm not sure you're going about it
in the best way. Bear with me now :) While <iframe> is
more then enough for me, I am sure other users might want
to use other useful tags like <center>, <font>, or <pre>,
which are understandably verbotin in the comments area, but
make sense to have in the user box. It might be better
to give the user slashbox a black list of unacceptible tags
instead of a white list as is done for comments (which I
can understand, since comments are public and affect
everybody). Perhaps you could make it only filter out
<script>, <object>, onload/onclick/onfocus attributes,
and other such things. But then, I'm sure somebody might
want to use a Java script in their user box too :(
I don't want to sound out of line here, but I'm not really
sure why there needs to be any filter on the user space at
all. You'll probably consider me naieve for saying this,
but I think user space should be just that -- User space.
I think people should be educated on the dangers of cross-
site scripting, rather then protecting the ignorant from
themselves (while also unneccesarily limiting people who
know better). You could put a big, bold warning next to
the User Space box, saying "If you put scripts into this
box from another website, Slashdot is not responsible for
stolen passwords or other security holes!" Because after all,
somebody out there probably has a legitimate reason to
use Java in their User Space.
Anyway, once again, thank you for considering my bug report.
It's nice to see that you guys can still take time out of
your day after maintaining Slashdot and dealing with trolls
to help us little folk :) I hope we find a satisfactory
solution soon.
Logged In: YES
user_id=393447
I'm sorry about this, Mr. Jones. It's my fault that the
lameness filter got imposed on the user space, when it
really shouldn't be. Jamie thinks I have some sort of
hidden agenda in providing javascript for other Slashbots
to use. Jamie, if you're reading this, rest assured that I
had no alterior motives (aside from making a stink about
subscriptions, but hey, I'm a troll, that's what I do :-)
and I'm not entirely sure what you're implying by "social
engineering". (And I'm only one person; you can refer to me
as "a troll" instead of "trolls").
Anyway, the comment in question was here:
http://slashdot.org/comments.pl?sid=28988&cid=3115825
I made the mistake of instructing people to point the
script directly at the copy on my own webspace, instead of
making it clear that it should be downloaded to a local
file and referenced from there. It was stupid in hindsight,
but there's not much I can do about that now. Anyway
Jamie, please take the filters off the user space! You know
that the Government trying to ban all video games because
of a few freak incidents like Columbine is stupid. You know
that taking away civil liberties in the name of "fighting
terrorism" is silly. While of course Slashdot's User Space
is nowhere near on the same scale, it's the same
principle. It is _USER_ space, and if an idiot puts bad
stuff in his box, then he should've known better. You're
needlessly inhibiting legitimate uses for the User Slashbox.
Just let go of it.
Logged In: YES
user_id=3889
Joe -- center, font, and pre are probably worth allowing too. Which means I should probably just go through the HTML spec and allow almost everything. I haven't had a chance to evaluate iframe yet.
It has to be a whitelist of acceptable tags, rather than blacklisting dangerous tags, because that's the only way to do things securely. The chances of there being a clever way to work around restrictions go up immensely in any complex system, if you "block bad" instead of "allow good." Just a general rule of thumb.
I considered just putting a warning on the box saying "you really don't want to do this," until I saw how many people had already done it. Cross-site scripting is a subtle risk, and that makes it extremely dangerous. I understand your thinking, honestly, but we've considered this carefully.
Logged In: YES
user_id=3889
Joe -- center, font, and pre are probably worth allowing too. Which means I should probably just go through the HTML spec and allow almost everything. I haven't had a chance to evaluate iframe yet.
It has to be a whitelist of acceptable tags, rather than blacklisting dangerous tags, because that's the only way to do things securely. The chances of there being a clever way to work around restrictions go up immensely in any complex system, if you "block bad" instead of "allow good." Just a general rule of thumb.
I considered just putting a warning on the box saying "you really don't want to do this," until I saw how many people had already done it. Cross-site scripting is a subtle risk, and that makes it extremely dangerous. I understand your thinking, honestly, but we've considered this carefully.
Logged In: YES
user_id=485457
I know I shouldn't feed the trolls, but I can see where
jamiemccarthy is coming from, s_trooper. By looking at your
comment, if a lot of people did copy in that Java script
pointing directly at your page, it would give you undue
control over those accounts, irregardless of your
intentions. jamiemccarthy, would it be possible to allow
<script>, but block out the src="..." attribute, so that
users can only insert literal Java code without referencing
potentially dangerous code on troll websites? The problem
I see here with the troll's comment is that he can switch
in any code he wants for that script, which is a big
problem. Inserting literal Java code would be less
problematic and would ensure that the users know exactly
what their putting into the user space. Maybe you could
also refuse Java scripts which try to access
"document.cookie" for added security, in case a troll
discovers a way to sneak code in the user space undetected.
Logged In: YES
user_id=393447
Well joe, your idea sounds like a decent compromise.
Though, if I may, I have one comment to make. Javascript
can get to be quite large (especially when trying to work
around the niggling incompatibilities of each browser's
implementation). Being able to store the script in a
file is sometimes necessary, especially when faced with
the relatively small maximum size of the user slashbox.
So, instead of banning all <script src> attributes
outright, perhaps you could filter out all src attributes
unless they have a file:/// URL specified. If a user
has a .js file on his local machine, he probably knows what
it does already, and it should be safe.
Logged In: NO
The problem with blocking an src element, or restricting it to file:// is that it would be quite easy to circumvent using a couple document.write(); calls. (write in another script tag, with an src). And the problem with an iframe is that the containing page could contain javascripts. (Though I don't think they'd have access to slashdot cookies, since the page is on another server, not sure on that though..)
Ultimately, I think the solution is to allow scripts but put a big warning next to the userspace box. Make it very clear that people should never ever ever link to script files from untrusted sites. I think you can trust the users that much. Unless, as I'm sure many people suspect, you actually aren't just opposed about offsite scripts but rather to any scripts whatsoever. The fact that scripts can eaisly block your primary revenue source (ads) is no doubt a reasonable concern, and who knows, there may be other reasons too. Slashdot has every right to make that call, and I respect that (though I wish they'd reconsider...).
But jamie, please, could you allow the STYLE tag? Just that one tag would really make my day. That way, users can create their own stylesheet and customize their slashdot appearance, and I don't think there are any secuirty issues with that at all. And, again, it's your call of course, but if you decide NOT to allow the style tag could you please enlighten us with the reason why?
Thank you.
-kilgoretrout
Logged In: YES
user_id=392537
I don't believe file:// works for javascript, at least in
mozilla. Consider the possibility of a malicious web page
including "file:///home/wcbell/.netscape/prefs.js" and using
its own scripting to read your browser settings (including
real name, location bar history, etc.) to send back to the
site. It's a potentially big privacy issue.
Joe: here's an idea: install Junkbuster (the beta from
Sourceforge). It comes with a file called re_filterfile
that lets you define regular expressions that are applied to
html pages from every site you visit. Add some unique text
like "JOES_USER_SLASHBOX" to your user slashbox. Then add a
regexp to re_filterfile that replaces "JOES_USER_SLASHBOX"
with your desired iframe/script tags. Voila! The weather
box returns, and as an added bonus it will get rid of those
pesky slashdot ads for free, hastening the inevitable death
of Slashdot.org.
Logged In: YES
user_id=3889
We may still revisit this someday. But looking at it again, the total
reward (benefit per user times number of users who would use it) is not
even close to being worth our time investment (every single change
could create painful XSS issues and must be thought through very
carefully). We've spent a lot of effort to avoid XSS and our resources
are too limited to open this door now.
I'm dropping the priority; if we ever get a ton of free time, we'll look at
this, but don't hold your breath.