Smilies Not Working In Forum Post

This is the place to report bugs and get support. When posting in this forum, please always provide as much detail as possible.

Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum, do not report it as a bug.

This is the place to report bugs and get support

When posting in this forum, please try to provide as many relevant details as possible. Particularly the following:

  • What operating system were you running when the bug appeared?
  • What database platform is your site using?
  • What version of mojoPortal are you running?
  • What version of .NET do you use?
  • What steps are necessary to reproduce the issue? Compare expected results vs actual results.
Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum.
This thread is closed to new posts. You must sign in to post in the forums.
5/22/2008 2:36:02 PM
Dean Brettle
Gravatar
Total Posts 148
View Posts

Re: Smilies Not Working In Forum Post

Your rationale for not using themes for this seems reasonable to me.  Thanks for the explanation.

As for allowing untrusted Flash, I don't think that can be done securely for arbitrary Flash.  Flash can make HTTP requests so it can be used to for XSS attacks just like JavaScript.  If you wanted to trust particular Flash animations (e.g. a particular movie player), there could be a TrustedObjectUrlPattern property.  Actually, if you are going to trust particular Flash animations, you might as well trust particular JavaScript files and iframes with particular HTML files.  So perhaps, what is needed is a general TrustedUrlPattern property that, if set, allows untrusted content to contain object/embed/iframe/script tags with URLs that match the pattern.  That would be in addition to the TrustedImageUrlPattern, since presumably most sites that are willing to sacrifice some CSRF-security to allow images don't want to sacrifice XSS-security too.

 

5/22/2008 5:52:17 PM
Dean Brettle
Gravatar
Total Posts 148
View Posts

Re: Smilies Not Working In Forum Post

On a related note, if you want to allow scripts, you might want to look into Caja.  The main downside from your perspective is that the current Javascript->Caja translator is written in Java (though there is an online translator).  However, if mojoPortal sites want to allow existing Caja scripts on their pages, you could support that without needing to use Java.

Also, since you mentioned social sites, you might want to look at OpenSocial.

 

5/23/2008 7:21:32 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Smilies Not Working In Forum Post

Open Social is definitely on my radar, though to some extent I think the social web stuff is mostly time wasting applications like silly vampire games. I do think getting all contacts syncronized across different sites is useful and some of the activity stream stuff is ok, but mostly what people do on Facebook, MySpace, etc is waste time and I think the next bubble will be because we wasted a lot of time developing time wasting apps. LinkedIn and Plaxo are more moderate and don't have as many time wasting things but apparently people love to waste time and therefore Facebook and MySpace are more popular and now all these venture cap folks are putting a lot of effort into helping people waste their time more effectively. Sooner or later that bubble will pop.

But people do want to build social sites with mojoPortal and it poses some challenges. Currently if a user has permission to create pages and put features on them, that user is generally been given a good deal of trust and is considered a trusted user. But in social sites its like they want anyone who registered to be able to create pages and add content under their own little node of the site. So in this case there is no particular reason to trust these users and yet we still want to grant them the power to create pages and put features on them as if we trusted them. And they want all the bells and whistles like Flash and Video. So to support this kind of site I think we do need more ways to limit the possible damage. Caja, looks like a possible solution, thanks for that as I had not seen it before. I suppose we can also implement specific widgets for things like YouTube or use Open Social, but it seems like no matter what we do there is still a good deal of remaining risk from pulling in rich content from external sources. I think that a lot of organized cyber criminals are making MySpce their playground because it affords so many opportunities for deploying malware and gathering information that can be used in identity theft.

Anyway, I'm ranting, I'll stop now

You must sign in to post in the forums. This thread is closed to new posts.