You could just assume that the content is always JSON and use
enclosure in "" as the signal that it's just a string.
That's effectively what the current RESTful API proposal does.
Alternatively, there should be a way to indicate that the content is
text/plain or application/json :)
Our app data support is very weak at the moment. We'll try to take
whatever's current prior to our launch at the end of the month.
--
Paul Lindner ||||| | | | | | | | | |
lin...@inuus.com
This thread seemed to be going somewhere useful. Were we approaching
consensus on anything?
Can we find some way to make the APIs safe for novice developers
without inconveniencing the more advanced types who are sticking JSON
in appdata?
I like this first solution best, but it's extra work to already existing
stores. I don't like the whole HTML escaping at all, I don't believe
getting free gloves with every knife you buy; you just need to know not
to cut yourself in the finger. It reminds me way too much of PHP's magic
quotes....
Then again, that issue has been discussed before and we decided in favor
of escaping then...
I like the second solution as it allows to explicitly support JSON as a data type while providing less overhead to simple data types.
-Oleg Pylnev
Myspace
- Cassie
Automatically escaping app data prevents developers from XSS attacks
as ineffectively as php's magic_quotes function against SQL injection.
+ one billion on not html-escaping the data!
+1 as well, false sense of security often leads to a whole lot of insecurity and bug\\\'s
1) any user can write to any of their friend's app data
2) the typical way a gadget uses app data is to pull data out and then
assign that data to innerHTML
Without automatic escaping, that's completely insecure. XSS worms
will spread through app data, infecting every user who has the
application installed.
I love the idea of providing an HTML sanitizer to make it easy for
developers to deal with rich text coming from untrusted sources. I
think the one from Caja is suitable, we just need to decide on a
function name for the opensocial spec.
Cheers,
Brian
On Mon, Apr 14, 2008 at 6:01 PM, Graham Spencer <g...@google.com> wrote:
I may be misunderstanding how appdata is used, so let me double check.
1) any user can write to any of their friend's app data
2) the typical way a gadget uses app data is to pull data out and then
assign that data to innerHTML
Maybe a function like 'setAppData(html, AppDataType.HTML)' that
automatically does HTML sanitization would improve the usability of
the API while still leaving it safe by default?
Cheers,
Brain
Automatic escaping does not solve the problem 100%, but it's extremely
rare to solve any kind of software security problem for 100% of cases.
The current escaping solves the problem for the simplest case where
gadgets are storing plain text in app data and assuming that they are
getting plain text back. If we don't do that escaping, the most
simple 'hello world' use of app data will have a serious security
problem.
Maybe a function like 'setAppData(html, AppDataType.HTML)' that
automatically does HTML sanitization would improve the usability of
the API while still leaving it safe by default?
Yeah, that's probably a good idea. Cleaning usually belongs where
data is used, not where it is stored.
> I think most single developers expect any kind of storage to behave in the
> way that what you put in is what you get out.
I really wish app data worked that way, but it doesn't. No matter
what a gadget puts in to app data, an attacker can modify the data
that people will see when they view the attackers page. Developers
who assume that the app data they read is the same as what they wrote
are going to have serious vulnerabilities in their gadgets.
"Serious vulnerability" is a very subjective term, so let me explain
the risk: app data can be used to spread XSS worms. If an attacker
discovers an XSS vulnerability that can be exploited through app data,
they will do so in such a way that
a) the attack payload spreads rapidly to all users of the app (The
Samy worm spread to 1 million users in under a day.)
b) the payload includes browser exploits that attempt to install
malware. (These attacks are very popular, because they can be
monetized.)
Can folks have a look at how the gadgets they are running are actually
using app data, and what portion of gadget developers are assuming
that the content they wrote to app data is the same as they are
getting back?
Cheers,
Brian
Cheers,
Brian
Thanks Cassie,
#2 Pros:
1) Expandability
2) Compact serialization
3) Potential support for default values.
#2 Cons:
1) Data Store needs to be modified
2) Container needs to be aware of data types
What about making the JSON the default format for option #2?
-Oleg
From:
opensocial-an...@googlegroups.com
[mailto:opensocial-an...@googlegroups.com] On Behalf Of Cassie
Sent: Sunday, April 20, 2008 9:29 AM
To: opensocial-an...@googlegroups.com
Subject: Re: Allow JavaScript objects to be stored in AppData
Thanks Reinoud!
I still care. Arne originally wrote:
"When returning an object, the container could then iterate over each
key in the parsed result and escape string values appropriately. The
result would be a native JS object with escaped fields, which would
not need to be unescaped to be usable in my application."
That's a good idea, I'd like to see it happen.
Cheers,
Brian
Another point for having specific data type is the potential expansion of data store:
Allow to sort friends app data for a specific key. Imagine if developer wants to execute following query: ‘select top 10 game scores from my friends’. Having specific data type will allow proper sorting.
I do see the need for a compromise and if none reached I would be fine with door #1.
-Oleg
From: opensocial-an...@googlegroups.com
[mailto:opensocial-an...@googlegroups.com] On Behalf Of Cassie
Sent: Wednesday, April 30, 2008 11:16 AM
To: opensocial-an...@googlegroups.com
Subject: Re: Allow JavaScript objects to be stored in AppData
Okay, so the opinions now stand like this: