podcast descriptions and JavaScript
Mathias Panzenböck
grosser.meister.morti at gmx.net
Sat Nov 28 02:38:38 CET 2009
The descriptions of podcasts might contain JavaScript, which might be bad. I
don't know what JavaScript executed in the context of the info applet (this is
where the description is rendered as html) is able to access. Even if it can't
access anything dangerous, I guess it could run in an endless loop, freezing amarok.
The description might be xhtml, but in RSS 2.0 feeds more often is html (which
is not well formed xml because of <br> and such). This brings up the problem of
how to filter this JavaScript? Currently I apply a regular expression that
removes script tags. But that's not the only source of JavaScript. There are
also JavaScript-links (<a href="javascript:alert('foo');">) and event handlers
(<img onclick="alert('foo');">). These aren't that easy to remove by regular
expression.
Does anyone have an idea how to filter this JavaScript? I don't think
deactivating JavaScript in the info widget is an option, because other contexts
than podcasts might want to use it. In my newest commit I use it to make channel
images zoomable by clicking them! So I rather keep JavaScript support. I'd tend
to say: If executing JavaScript in the context of the info applet is as secure
as in a webbrowser, then just don't do anything about it.
What do you say?
-panzi
More information about the Amarok-devel
mailing list