Beefy Boxes and Bandwidth Generously Provided by pair Networks
Just another Perl shrine
 
PerlMonks  

Javascript and other evil goodies

by turnstep (Parson)
on Aug 22, 2000 at 21:22 UTC ( #29054=monkdiscuss: print w/replies, xml ) Need Help??

Since I am firmly in the expose, don't hide camp, I would like to bring up a discussion about the fact the nodes on this site are editable by third parties. Not only can text be added, but annoying HTML markup and even javascript, which can be used to grab things that should not be (e.g. cookie info). How do we limit this? Nobody has a really malicious home node or post that I know of right now (although some log you out, which I find really rude), but it would be fairly easy to create a simple link in a post that would do Bad Things.

Perhaps we could limit HTML to simple things, like A, LI, OL, UL, etc. and only allow more advanced and/or easily abused things like FONT H1 SCRIPT to higher levels?

Replies are listed 'Best First'.
RE: Javascript and other evil goodies
by Adam (Vicar) on Aug 22, 2000 at 21:49 UTC
    This is a problem that should be solved with a scalpel, not a battle ax. One of the things that makes this site fun is its flexability and creativity. We should not remove all of javascript just because it can be used to read cookies, we should just remove document.cookie. What we need is something that checks a post for validity and returns to the user with the post and the message, "This post is invalid, it uses forbidden blah blah blah" or something.
RE: Javascript and other evil goodies
by merlyn (Sage) on Aug 22, 2000 at 21:27 UTC
    And just to thwart it further, it has to be valid XHTML, so closing tags are not optional and attribute values have to be quoted.

    only half smiley, but it'd make validating against a DTD of permitted items fairly easy.

    -- Randal L. Schwartz, Perl hacker

RE: Javascript and other evil goodies
by le (Friar) on Aug 22, 2000 at 21:29 UTC
    I think this is a good idea, but I don't want evil tags be used only by higher level monks. This is something like "All animals are equal, but some are more equal."

    I would only allow more or less harmless tags like A, I, B, lists a.s.o., for everybody here, regardless of level.

      I don't agree, there are lots of things that we only trust higher level monks with. There's no reason why this shouldn't be another one.

      Nuance

RE: Javascript and other evil goodies
by t0mas (Priest) on Aug 23, 2000 at 14:52 UTC
    Some thougts of mine in this discussion (thanks for bringing it up turnstep):

    The Monastery Gates is in a bad neighbourhood called The Internet. On the internet there are all sorts of stuff, some bad, some good.

    Everyone knows that, and most people tolerate it or don't care.

    If you think of this site as a part of the internet, you'll be fine but if you try to think of it as your local network, you'll be lost.

    The "problem" with PM is that you start feeling at home here, and you would like it to be your local network :) Monks care when other monks get yelled at/downvoted without proper reasons and we have had much of those discussions the past few months. That's a good thing and nothing you'll see on many other sites around.

    The question that arises here is wether or not, and to what degree, we want to let the Internet mentality enter The Monastery Gates. Is it possible to have a place like PM in our neighbourhood? I don't know. On the Internet, I don't go to sites with annoying HTML markup or embedded MIDI music (how can anyone like that!) and I disable JavaScript, ActiveX, etc. when I enter an unknown/distrusted site. Or use Lynx.

    In the PM site, I don't push those home node buttons and I would stop vistitng home nodes with broken HTML or other irritating content. The thing that I really would dislike would be if something happened behind my back, e.g. onLoad="make_t0mas_annoyed();", out of my control... A node with such content would be a clear candidate for Nodes To Consider and deletion IMO.

    A rule would make me happy:
    Nothing on the PM site is supposed to happen without me saying so. If I click on a "Please erase my disk" button - it's my fault, but if I get the disk erased without saying so, I would get mad.

    I actually like JavaScript and good use of HTML tags, they can make page shine a bit brigher, and I advocate their use. And I believe that the golden rule still stands: Do to others what you would have them do to you.

    /brother t0mas
RE: Javascript and other evil goodies
by KM (Priest) on Aug 22, 2000 at 21:28 UTC
    Personally, I would rather have JavaScript, Java, ActiveX, Flash, etc.. be stripped before posts to home nodes, or replies. Anything that could possibly be a security issue for the end user should be removed, IMO. Maybe allowing these things (well, not Java or ActiveX things) at higher levels is OK, since by time you are a higher level you have likely earned some 'trust'. Just my $.03

    Cheers,
    KM

      I would just like to make it clear, for the record, that I am a hypocrite. I've complained about anonymous -- votes before, but I couldn't be bothered to post a reason on this particular -- vote. I disagreed with KM's suggestion, voted it --, and moved on. Shame on me.

      The reason I voted id down is because I disagree with the idea that everything but HTML should be stripped from home nodes (on replies, I have no problem with it, but I didn't see that when I voted it down). Basically, a Monk's home node is their personal space (albeit freely granted by The Everything Development Company) and I can understand why they customize it. I can understand these things being security issues, but part of the problem here is striking a balance between diligence and freedom. Let's face it, one of the things that so many people find appealing about Perlmonks is the customization we can do.

      I have CSS on my home node, some have JavaScript, while others have forms that submit to CGI scripts. While I admit that sometimes these things get carried away, I feel that they add to the charm of this site. Yes, let's find ways to address security holes, but don't take away one of the things that makes Perlmonks special.

      Cheers,
      Ovid

      Update: Aargh! After reading through some of the comments and seeing some of the stuff that's going on in the chatterbox, I have to say that I was wrong in the above post. Sometimes kids need to have their toys taken away :(

        Basically, a Monk's home node is their personal space (albeit freely granted by The Everything Development Company) and I can understand why they customize it. I can understand these things being security issues, but part of the problem here is striking a balance between diligence and freedom. Let's face it, one of the things that so many people find appealing about Perlmonks is the customization we can do.
        Yes, and my physical home is also my home, but the law prevents me from storing dangerous chemicals or large animals here. It's called "public safety".

        I support free speech, but your right to free speech ends right at my browser, thank you. Browser programmability is unnecessary here at the monastery. If you wanna do that, link to your own website and put stuff there and invite us. I'd like the monastery to be a safe place.

        -- Randal L. Schwartz, Perl hacker

        For me your home node is now a visual booby-trap.

        Should embedded CSS become common, I will have to start consistently avoiding home nodes. If they become used elsewhere on a regular basis, I will stop visiting PM.

        BTW one concern of mine. I use a lot of Netscape. It is very easy to cause serious problems for Netscape without knowing it, and some here do not care. Should that become common, you will lose a lot more than just me...

        That's what we need more of in Discussion threads, actual discussion. Simply voting -- doesn't lend anything to the topic. In the midst of various opinions and ideas is usually a good compromise and solution.

        I agree that a home node is a personal space, per se. But, it can be exploited. I don't want to check out someones home node (like a new users) and have a barage of windows opening, or be stuck in some Yes/No dialog box loop. Or have someone setting cookies, etc... We have various privileges at certain levels, and maybe using CSS and JavaScript should be privileges. I still think anything like Java apps or ActiveX should be disallowed. Use those things on your own pages off of this site (IMO).

        Let's keep the charm, but keep down the (possible) harm.

        Cheers,
        KM

        There is a difference between a poorly written node and node you dont agree with.

        I was under the impression that you voted down poorly written nodes, not those that you disagree with.

RE: Javascript and other evil goodies
by athomason (Curate) on Aug 22, 2000 at 22:00 UTC
    I'll second the proposal with some reservations. First, a good definition of "unsafe tags" needs to be nailed down. I'm not sure what's allowed right now since I haven't submitted a broken post recently, but in theory even a stray </table> tag can cause trouble (anybody ever seen roblimo italicize an entire conversation?). Some of you might remember the CERT advisory on this very issue a few months ago. The range is extreme: obviously links to applets and ActiveX controls are dangerous, but what about malformed tables? Image tags linking to 800KB graphics? Forms?

    Also, "higher levels" should be a pretty conservative mark, I'd say around 3-4 at most. That keeps the AM trolls from doing damage without discouraging any newbies trying to post something fancy.

RE: Javascript and other evil goodies
by mikfire (Deacon) on Aug 22, 2000 at 21:49 UTC
    I agree with the learned brethren's comments, but I am uncertain it will work. I use href tags ( referring to other nodes on the site, referring to places not on the site, etc ) a lot. Once we allow href tags, do we really have any security? Can you write a parser that can tell the difference between me referring to myself ( like my sig ), using a mailto: tag ( several people like the "send email to x" sig ) and logging people out?

    mikfire

      This is perlmonks! If anyone can write a good perl script and/or a really interesting/efficient/accurate regular expression, we can! A parser to tel the difference between http://www.perlmonks.org and others, and only allow selective. No problem! :)

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: monkdiscuss [id://29054]
Approved by root
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others lurking in the Monastery: (7)
As of 2023-02-03 14:01 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    I prefer not to run the latest version of Perl because:







    Results (26 votes). Check out past polls.

    Notices?