Re^3: Let users link in a javascript library (required)

For the sake of clarity, my proposal to properly filter javascript requires filtering HTML as well. So, yes, if you want to see what is going to happen, go to User Settings and turn on "Filter HTML of monks' homenodes".

My impression is that the allowed tags are already pretty much where they can and should be.

As a first step, we should turn on this setting for AnonyMonk (not as easy at one might guess, since I've tried before and failed). Another attempt is now on the top of my to-do list.

- tye

Comment on Re^3: Let users link in a javascript library (required)

Replies are listed 'Best First'.
Re^4: Let users link in a javascript library (required) by ysth (Canon) on Apr 15, 2008 at 06:21 UTC
My impression is that the allowed tags are already pretty much where they can and should be. I guess I'm misremembering, then. I thought we'd discussed allowing a broader range of things on homenodes. I wouldn't be drastically opposed to being restrictive initially, then seeing what people clamor for, but in principle I'd like to see monks have more artistic freedom on their homenode. -- Online Fortune Cookie Search	[reply]
Re^4: Let users link in a javascript library (required) by ysth (Canon) on Apr 16, 2008 at 19:52 UTC
My impression is that the allowed tags are already pretty much where they can and should be. In my previous response, I was assuming you meant just the Perl Monks Approved HTML Tags. I'd forgotten there were the additional tags allowed for homenodes. What are your concerns about external imgs? They'd allow ipaddr logging; is there any other concern? -- Online Fortune Cookie Search	[reply]
Re^5: Let users link in a javascript library (required) by moritz (Cardinal) on Apr 16, 2008 at 19:58 UTC
Cross-site request forgery. Since most users allow the browser to load images, an external image can be used to trigger an GET request to an arbitrary URL, and the browser sends all session cookies of the target domain to that URL. Without any interaction from the user. While state change on the server side should not be triggered by GET requests they often are. So it's safer to forbid them.	[reply]
Re^6: Let users link in a javascript library (required) by ysth (Canon) on Apr 16, 2008 at 20:04 UTC
I don't get the (ab)use case. A monk sets up an external img; another monk visits the homenode and their cookies from that external site are sent to the external site? Can you explain the problem? -- Online Fortune Cookie Search	[reply]
Re^7: Let users link in a javascript library (required) by Corion (Patriarch) on Apr 16, 2008 at 20:07 UTC
Re^8: Let users link in a javascript library (required) by ysth (Canon) on Apr 16, 2008 at 20:12 UTC
Re^7: Let users link in a javascript library (required) by moritz (Cardinal) on Apr 16, 2008 at 21:42 UTC
Re^7: Let users link in a javascript library (required) by tinita (Parson) on Apr 16, 2008 at 21:51 UTC
A reply falls below the community's threshold of quality. You may see it by logging in.