#22 Problems with "User Space" slashbox

open
nobody
None
1
2003-02-04
2002-03-17
Joe Jones
No

Hello, I hate to complain but there seems to be
something strange happening with the "User Space"
box. I had it set up with a couple quick access links
to CNN and Penny Arcade, along with an IFRAME that
brought up a local weather forecast from NOAA's site.
This has all worked fine for the last two years, but
just yesterday the IFRAME seemed to disappear. I'm
not sure why; the only reason I can think of is that
it seemed to start after I had gone to my homepage
preferences to add a couple Slashboxes. I hit "Save",
went back to the front page, and I noticed the
weather iframe was gone! I tried adding the tag back
to the user space box, but everytime I hit "Save" the
iframe tag disappears again.

This is really weird; I'd think it might be a
database problem that's causing all the user
slashboxes to blank out, but the <a href> tags are
still there, just as they've always been. Are there
any other reasons that the <iframe> would have been
cut off without the links being affected? Thank you
for your time.

Discussion

  • Jamie McCarthy

    Jamie McCarthy - 2002-03-18

    Logged In: YES
    user_id=3889

    Sorry, but HTML tags usable in User Space have been restricted to forbid javascript. Trolls were socially engineering things to encourage people to put foreign-site Javascript into their User Space, which is a cross-site scripting attack waiting to happen.

    When I get time I will review the list of HTML tags that should be allowed in this space, but I will need to look them over for security concerns before I make this change. I'll keep this bug live as a reminder to myself to do this.

    Is IFRAME the only tag you need? If there are others let me know. I don't know offhand its security implications, I'll need to check it out.

     
  • Jamie McCarthy

    Jamie McCarthy - 2002-03-18
    • assigned_to: nobody --> jamiemccarthy
    • priority: 5 --> 6
    • milestone: 101417 --> 169310
    • labels: 351250 --> 102028
    • summary: Problems with "User Space" slashbox --> Problems with "User Space" slashbox
     
  • Joe Jones

    Joe Jones - 2002-03-18

    Logged In: YES
    user_id=485457

    Thank you for the reply, jamiemccarthy. This is the first
    I've heard of any such problems, and while I'm glad you
    are trying to fix it, I'm not sure you're going about it
    in the best way. Bear with me now :) While <iframe> is
    more then enough for me, I am sure other users might want
    to use other useful tags like <center>, <font>, or <pre>,
    which are understandably verbotin in the comments area, but
    make sense to have in the user box. It might be better
    to give the user slashbox a black list of unacceptible tags
    instead of a white list as is done for comments (which I
    can understand, since comments are public and affect
    everybody). Perhaps you could make it only filter out
    <script>, <object>, onload/onclick/onfocus attributes,
    and other such things. But then, I'm sure somebody might
    want to use a Java script in their user box too :(

    I don't want to sound out of line here, but I'm not really
    sure why there needs to be any filter on the user space at
    all. You'll probably consider me naieve for saying this,
    but I think user space should be just that -- User space.
    I think people should be educated on the dangers of cross-
    site scripting, rather then protecting the ignorant from
    themselves (while also unneccesarily limiting people who
    know better). You could put a big, bold warning next to
    the User Space box, saying "If you put scripts into this
    box from another website, Slashdot is not responsible for
    stolen passwords or other security holes!" Because after all,
    somebody out there probably has a legitimate reason to
    use Java in their User Space.

    Anyway, once again, thank you for considering my bug report.
    It's nice to see that you guys can still take time out of
    your day after maintaining Slashdot and dealing with trolls
    to help us little folk :) I hope we find a satisfactory
    solution soon.

     
  • Joe Jones

    Joe Jones - 2002-03-18
    • summary: Problems with "User Space" slashbox --> Problems with "User Space" slashbox
     
  • Jon Anderson

    Jon Anderson - 2002-03-18

    Logged In: YES
    user_id=393447

    I'm sorry about this, Mr. Jones. It's my fault that the
    lameness filter got imposed on the user space, when it
    really shouldn't be. Jamie thinks I have some sort of
    hidden agenda in providing javascript for other Slashbots
    to use. Jamie, if you're reading this, rest assured that I
    had no alterior motives (aside from making a stink about
    subscriptions, but hey, I'm a troll, that's what I do :-)
    and I'm not entirely sure what you're implying by "social
    engineering". (And I'm only one person; you can refer to me
    as "a troll" instead of "trolls").

    Anyway, the comment in question was here:
    http://slashdot.org/comments.pl?sid=28988&cid=3115825
    I made the mistake of instructing people to point the
    script directly at the copy on my own webspace, instead of
    making it clear that it should be downloaded to a local
    file and referenced from there. It was stupid in hindsight,
    but there's not much I can do about that now. Anyway
    Jamie, please take the filters off the user space! You know
    that the Government trying to ban all video games because
    of a few freak incidents like Columbine is stupid. You know
    that taking away civil liberties in the name of "fighting
    terrorism" is silly. While of course Slashdot's User Space
    is nowhere near on the same scale, it's the same
    principle. It is _USER_ space, and if an idiot puts bad
    stuff in his box, then he should've known better. You're
    needlessly inhibiting legitimate uses for the User Slashbox.
    Just let go of it.

     
  • Jamie McCarthy

    Jamie McCarthy - 2002-03-18

    Logged In: YES
    user_id=3889

    Joe -- center, font, and pre are probably worth allowing too. Which means I should probably just go through the HTML spec and allow almost everything. I haven't had a chance to evaluate iframe yet.

    It has to be a whitelist of acceptable tags, rather than blacklisting dangerous tags, because that's the only way to do things securely. The chances of there being a clever way to work around restrictions go up immensely in any complex system, if you "block bad" instead of "allow good." Just a general rule of thumb.

    I considered just putting a warning on the box saying "you really don't want to do this," until I saw how many people had already done it. Cross-site scripting is a subtle risk, and that makes it extremely dangerous. I understand your thinking, honestly, but we've considered this carefully.

     
  • Jamie McCarthy

    Jamie McCarthy - 2002-03-18
    • summary: Problems with "User Space" slashbox --> Problems with "User Space" slashbox
     
  • Jamie McCarthy

    Jamie McCarthy - 2002-03-18
    • summary: Problems with "User Space" slashbox --> Problems with "User Space" slashbox
     
  • Jamie McCarthy

    Jamie McCarthy - 2002-03-18

    Logged In: YES
    user_id=3889

    Joe -- center, font, and pre are probably worth allowing too. Which means I should probably just go through the HTML spec and allow almost everything. I haven't had a chance to evaluate iframe yet.

    It has to be a whitelist of acceptable tags, rather than blacklisting dangerous tags, because that's the only way to do things securely. The chances of there being a clever way to work around restrictions go up immensely in any complex system, if you "block bad" instead of "allow good." Just a general rule of thumb.

    I considered just putting a warning on the box saying "you really don't want to do this," until I saw how many people had already done it. Cross-site scripting is a subtle risk, and that makes it extremely dangerous. I understand your thinking, honestly, but we've considered this carefully.

     
  • Joe Jones

    Joe Jones - 2002-03-19

    Logged In: YES
    user_id=485457

    I know I shouldn't feed the trolls, but I can see where
    jamiemccarthy is coming from, s_trooper. By looking at your
    comment, if a lot of people did copy in that Java script
    pointing directly at your page, it would give you undue
    control over those accounts, irregardless of your
    intentions. jamiemccarthy, would it be possible to allow
    <script>, but block out the src="..." attribute, so that
    users can only insert literal Java code without referencing
    potentially dangerous code on troll websites? The problem
    I see here with the troll's comment is that he can switch
    in any code he wants for that script, which is a big
    problem. Inserting literal Java code would be less
    problematic and would ensure that the users know exactly
    what their putting into the user space. Maybe you could
    also refuse Java scripts which try to access
    "document.cookie" for added security, in case a troll
    discovers a way to sneak code in the user space undetected.

     
  • Joe Jones

    Joe Jones - 2002-03-19
    • summary: Problems with "User Space" slashbox --> Problems with "User Space" slashbox
     
  • Jon Anderson

    Jon Anderson - 2002-03-19

    Logged In: YES
    user_id=393447

    Well joe, your idea sounds like a decent compromise.
    Though, if I may, I have one comment to make. Javascript
    can get to be quite large (especially when trying to work
    around the niggling incompatibilities of each browser's
    implementation). Being able to store the script in a
    file is sometimes necessary, especially when faced with
    the relatively small maximum size of the user slashbox.
    So, instead of banning all <script src> attributes
    outright, perhaps you could filter out all src attributes
    unless they have a file:/// URL specified. If a user
    has a .js file on his local machine, he probably knows what
    it does already, and it should be safe.

     
  • Nobody/Anonymous

    Logged In: NO

    The problem with blocking an src element, or restricting it to file:// is that it would be quite easy to circumvent using a couple document.write(); calls. (write in another script tag, with an src). And the problem with an iframe is that the containing page could contain javascripts. (Though I don't think they'd have access to slashdot cookies, since the page is on another server, not sure on that though..)

    Ultimately, I think the solution is to allow scripts but put a big warning next to the userspace box. Make it very clear that people should never ever ever link to script files from untrusted sites. I think you can trust the users that much. Unless, as I'm sure many people suspect, you actually aren't just opposed about offsite scripts but rather to any scripts whatsoever. The fact that scripts can eaisly block your primary revenue source (ads) is no doubt a reasonable concern, and who knows, there may be other reasons too. Slashdot has every right to make that call, and I respect that (though I wish they'd reconsider...).

    But jamie, please, could you allow the STYLE tag? Just that one tag would really make my day. That way, users can create their own stylesheet and customize their slashdot appearance, and I don't think there are any secuirty issues with that at all. And, again, it's your call of course, but if you decide NOT to allow the style tag could you please enlighten us with the reason why?

    Thank you.

    -kilgoretrout

     
  • Walter Bell

    Walter Bell - 2002-03-21

    Logged In: YES
    user_id=392537

    I don't believe file:// works for javascript, at least in
    mozilla. Consider the possibility of a malicious web page
    including "file:///home/wcbell/.netscape/prefs.js" and using
    its own scripting to read your browser settings (including
    real name, location bar history, etc.) to send back to the
    site. It's a potentially big privacy issue.

    Joe: here's an idea: install Junkbuster (the beta from
    Sourceforge). It comes with a file called re_filterfile
    that lets you define regular expressions that are applied to
    html pages from every site you visit. Add some unique text
    like "JOES_USER_SLASHBOX" to your user slashbox. Then add a
    regexp to re_filterfile that replaces "JOES_USER_SLASHBOX"
    with your desired iframe/script tags. Voila! The weather
    box returns, and as an added bonus it will get rid of those
    pesky slashdot ads for free, hastening the inevitable death
    of Slashdot.org.

     
  • Jamie McCarthy

    Jamie McCarthy - 2002-03-22
    • milestone: 169310 -->
    • labels: 102028 -->
    • assigned_to: jamiemccarthy --> nobody
    • summary: Problems with "User Space" slashbox --> Problems with "User Space" slashbox
     
  • Jamie McCarthy

    Jamie McCarthy - 2002-03-22
    • summary: Problems with "User Space" slashbox --> Problems with "User Space" slashbox
    • assigned_to: nobody --> jamiemccarthy
    • labels: --> 310787
     
  • Jamie McCarthy

    Jamie McCarthy - 2002-03-22
    • summary: Problems with "User Space" slashbox --> Problems with "User Space" slashbox
    • milestone: --> 191917
     
  • Jamie McCarthy

    Jamie McCarthy - 2002-09-10
    • summary: Problems with "User Space" slashbox --> Problems with "User Space" slashbox
    • priority: 6 --> 1
     
  • Jamie McCarthy

    Jamie McCarthy - 2002-09-10

    Logged In: YES
    user_id=3889

    We may still revisit this someday. But looking at it again, the total
    reward (benefit per user times number of users who would use it) is not
    even close to being worth our time investment (every single change
    could create painful XSS issues and must be thought through very
    carefully). We've spent a lot of effort to avoid XSS and our resources
    are too limited to open this door now.

    I'm dropping the priority; if we ever get a ton of free time, we'll look at
    this, but don't hold your breath.

     
  • Jamie McCarthy

    Jamie McCarthy - 2003-02-04
    • labels: 310787 -->
    • summary: Problems with "User Space" slashbox --> Problems with "User Space" slashbox
    • assigned_to: jamiemccarthy --> nobody
    • milestone: 191917 -->
     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks