Synopsis:
The os:Html tag adds complexity to the spec without providing any real
additional value in terms of security. Because of this, we propose
os:Html be deprecated from the 1.0 version of the spec.
(section proposed for deprecation)
http://www.opensocial.org/Technical-Resources/opensocial-spec-v09/OpenSocial-Templating.html#rfc.section.11
The intent of the os:Html tag is to provide for strict escaping rules
for rendering markup from untrusted or trusted sources. In practice
this forces a specific and sub-optimal security model for
implementers. Its protections are easily circumvented by using a
variety of other techniques, like gadgets.io.makeRequest, direct DOM
manipulation, or combinational attacks
ex:
Four requests each have data that is not problematic in isolation.
When placed together they construct an attack vector.
v1: <sc
v2: ript>alert('I just XSSed your bank account')<
v3: /s
v4: cript>
No single variable contains an obviously outlawed tag, but place them
together:
<os:Html code="${v1}" /><os:Html code="${v2}" /><os:Html code="${v3}" /
><os:Html code="${v4}" />
and they become:
<script>alert('I just XSSed your bank account')</script>
There are multiple more appropriate locations for providing security
filtering, either before or after the rendering:
* in the proxy layer being called by the request
* on the receiver of an <os:HttpRequest> tag when @format is specified
as "text"
* in the template renderer
* with a meta-sandbox, like Caja or Web Sandbox
Security is a difficult topic and the OpenSocial spec should not be
getting into the business of defining the security model a particular
implementer will use. That should be left to the implementer so that
we can allow for advances in security techniques and explore different
security implementations. Because of these reasons and the
shortcomings of the <os:Html> tag, we feel it should be removed from
the OpenSocial specification.