[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [syndication] Syndication of javascript: urls as a security window?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jim Winstead <jimw-yahoo@trainedmonkey.com> writes:
> On Wed, Feb 27, 2002 at 03:40:28PM -0800, Brian Aker wrote:
> > On Wed, 2002-02-27 at 15:10, burton@openprivacy.org wrote:
> > > This somethingBad() could be a one line Javascript to get cookes and
> > > to create a URL with this info an post to a site.
> > >
> > > We should document this somewhere and incourage aggregators to remote
> > > javascript: urls.
> >
> > We fixed this on Slashdot some time ago. We never had anyone do it, but
> > we considered it just a matter of time till someone did. I imagine that
> > it is one of those exploits that are just waiting to bite a number of
> > people.
>
> with rss 0.92, the problem is likely compounded. a naive aggregator
> could do bad things with an entry like:
>
> <item>
> <description><script>window.close()</script></description>
> </item>
>
> a news aggregation page that closes the window every time you load it
> probably wouldn't be very much fun.
<snip/>
Wow... that would be really bad. I haven't implemented this part of the spec
yet. Specifically because we require XHTML and syndicators would feed valid
HTML which is invalid XHTML.
I would have only decoded certain elements though :)
Kevin
- --
Kevin A. Burton ( burton@apache.org, burton@openprivacy.org, burtonator@acm.org )
Location - San Francisco, CA, Cell - 415.595.9965
Jabber - burtonator@jabber.org, Web - http://relativity.yi.org/
Copyright, like patents, benefits only those who can enforce it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Get my public key at: http://relativity.yi.org/pgpkey.txt
iD8DBQE8feUOAwM6xb2dfE0RAtIhAJ4rf9XqSw57Dn6SjmQOuzjKpCyZ8ACeJ+GM
2dKzKQxQGow0ZP0gpV/hPq4=
=bkQb
-----END PGP SIGNATURE-----