Re: Publishing HTML
- From: Daniel Veillard <veillard redhat com>
- To: Dan Mueth <d-mueth uchicago edu>
- Cc: Trevor Curtis <trevor curtis home com>, Colm Smyth <Colm Smyth sun com>, GNOME Doc List <gnome-doc-list gnome org>
- Subject: Re: Publishing HTML
- Date: Tue, 26 Jun 2001 13:05:26 -0400
On Tue, Jun 26, 2001 at 10:35:06AM -0500, Dan Mueth wrote:
>
> On Tue, 26 Jun 2001, Trevor Curtis wrote:
>
> > On Tue, Jun 26, 2001 at 10:37:24AM +0100, Colm Smyth wrote:
> > > - (paranoia on) a multi-user writeable cache for html files creates more issues
> > > than one for man-pages; HTML isn't as harmless a document format as you might
> > > like because it is a host for executable content (javascript, plug-ins, java,
> > > ...; also remote execution (form input methods like cgi, servlets, ...)
> > > it would be possible to edit a html page to bind different actions to buttons
> > > or hyperlinks
> > >
> >
> > Hey. I'm new to all this, and so might be missing something, but why
> > would we worry about plugins? Going from xml/sgml -> html, we
> > typically don't use javascript or plugins of that sort. Or do you
> > mean this in just a general sense?
>
> Others here could probably answer this much better than I can, but I'll
> give it a shot.
>
> Untrusted ___\ Black Box XML->HTML ____\ shared ____\ Help browser
> XML "doc" / converter(gnome-db2html)/ cache / (Moz./Naut.)
>
> Any user can pass an untrustred document which they write or obtain from
> the web to the help system. It gets converted by gnome-db2html3 into an
> HTML file and cached for all other users to run through Nautilus (which is
> really just Mozilla for these purposes). So, if the untrusted document
> had executable content which could get through gnome-db2html, then we
> would have a cache file with malicious content which gets parsed by
> Mozilla by any other user on the system who happens to read that help
> file.
the executable content would have to be in a script element, just make sure
they can't be generated by the XSLT. Anyway with chunking and document()
you have to trust the stylesheet you execute.
Daniel
--
Daniel Veillard | Red Hat Network http://redhat.com/products/network/
veillard redhat com | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
http://veillard.com/ | Rpmfind RPM search engine http://rpmfind.net/
Sep 17-18 2001 Brussels Red Hat TechWorld http://www.redhat-techworld.com
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]