I think "Insecure" works better because you can see that it's potentially
dangerous when you use it. "Trusted" could be more easily mistaken for a
good thing that you don't need to worry about.

- Josh

On Wed, Jan 4, 2017 at 11:21 AM, OmPrakash Muppirala <bigosma...@gmail.com>
wrote:

> Before we lose context, I want add more of my thoughts here.
>
> I think the priority of things should be:
>
> 1.  Functionality
> 2.  Security
> 3.  Performance
>
> Alex probably thinks it should be:
>
> 1.  Functionality
> 2.  Performance
> 3.  Security
>
> As a compromise, in this context I am going to suggest that we go with:
>
> 1.  Security,
> 2.  Performance
> 3.  Functionality
>
> That is, security is still higher than functionality (which is what I
> want).  And the priority of performance has not changed (I think what Alex
> wants)
>
> To explain it in a bit more detail:  My goal is to not allow a developer to
> inadvertently add a bad piece of HTML to the DOM.  That is how security
> exploits occur.  We cannot simply say that it is upon the developer to
> ensure that a HTML snippet is sanitized before they use HTMLText to render
> it on the screen.  We've seen this happen to Flash Player in the past where
> ease of use was prioritized over security.  This behavior changed
> eventually, where security was considered when building each feature.  I
> think we should learn from that to avoid being labeled as 'insecure
> software' .
>
> The options that Alex suggested (doing it in the HTTPService layer, etc.)
> does not cut it.   Because:
>
> a.  It is not appropriate for HTTPService to divine the nature of a piece
> of data.  HTML can be used to display as DOM or shown to user to edit.  We
> could have two UI widgets one, that shows the HTML in an editable text
> area, and one that previews the HTML.  For example, editing an already
> comment in JIRA or a blog post and previewing it before saving.  If we
> blindly let the HTTPService sanitize the data, we are losing data.
> b.  A scary piece of HTML is not a security threat when it lives as a
> string.  There is no need to do anything about it.  It becomes a security
> threat only when it is added to the DOM.  So, sanitizing it just before it
> is added to the DOM is the most appropriate thing to do.  I guess this is
> perfectly adhering to the 'Pay as you go' philosophy.  Don't sanitize the
> HTML just in case, sanitize it just in time.
>
> So, as a compromise, here is what I propose:
>
> By default, HTMLText component expects an IHTMLSanitizer bead.  If such a
> bead is not available, the component will throw a runtime exception and it
> will not render the HTML.
>
> IHTMLSanitizer probably looks like this:
>
> function sanitizeHTML(v:String) :String;
>
> We will have two beads built in:
> 1.  HTMLSanitizer implements IHTMLSanitizer and uses a default algorithm to
> sanitize the given HTML.
> 2.  InsecureNoHTMLSanitizer implements IHTMLSanitizer which simply returns
> the same string back.
>
> We can build two 'express' components like this:
>
> express:HTMLText looks like this:
>
> <basic:HTMLText>
>   <basic:beads>
>     <basic:HTMLSanitizer />
>   </basic:beads>
> <basic:HTMLText>
>
> express:InsecureHTMLText looks like this:
>
> <basic:HTMLText>
>   <basic:beads>
>     <basic:InsecureNoHTMLSanitizer />
>   </basic:beads>
> <basic:HTMLText>
>
> This achieves the following goals:
>
> 1.  If someone wants to use basic:HTMLText and they don't provide a
> IHTMLSanitizer, they wont be able to display any HTML and will encounter
> runtime errors.
> 2.  They can use express:HTMLText which will run all HTML through a
> sanitizer.  They will either be happy or will complain about performance.
> 3.  They can switch to express:InsecureHTMLText and get better
> performance.  But since the name of the component clearly says that using
> it is insecure, we have at least given them an opportunity to understand
> what is going on.
> 4.  Some folks might want their own HTML sanitization logic.  They can
> create their own SpecialHTMLSanitizer which implements IHTMLSanitize and
> add it to basic:HTMLText
>
> Thoughts?
>
> Thanks,
> Om
>
> P.S.  Does the name 'TrustedHTMLText' work better than 'InsecureHTMLText'?
>
> On Tue, Jan 3, 2017 at 8:20 AM, flex capacitor <flexcapaci...@gmail.com>
> wrote:
>
> > I have a few thoughts on that. I need a component like this in the past
> for
> > the times I had separate HTML content already created but needed to be
> > integrated into a Flex JS app. I would suggest a contentBefore,
> > contentAfter and contentOverride properties maybe as a bead or a full
> > separate component.
> >
> > Those would be child tag properties that would pass the raw content
> through
> > enclosed in CDATA tags or not and the container or bead would have a
> > sanitize properties that could be set to true or false.
> >
> > The purpose would be to allow HTML embed content. Say you want to drop a
> > Google maps widget or rich text editor into your Flex JS app. You don't
> > want the compiler to parse that code. You would just want app to write
> the
> > raw HTML to the document in the container it is declared in. You would be
> > responsible for the security as the author and how to talk to it.
> >
> > The before and after properties would allow things like HTML comments or
> > other uses. In the past you had php code that wraps HTML markup but now
> it
> > could be used for some of the other frameworks out there to use markup to
> > perform other tasks.
> >
> > How that will work with the Flex JS model new App(); I'm not sure.
> >
> > On Jan 1, 2017 3:16 AM, "OmPrakash Muppirala" <bigosma...@gmail.com>
> > wrote:
> >
> > > On Sun, Jan 1, 2017 at 12:15 AM, Alex Harui <aha...@adobe.com> wrote:
> > >
> > > >
> > > >
> > > > On 12/31/16, 11:23 PM, "omup...@gmail.com on behalf of OmPrakash
> > > > Muppirala" <omup...@gmail.com on behalf of bigosma...@gmail.com>
> > wrote:
> > > > >
> > > > >Okay, I see your point now.  To be clear, I did not set out to write
> > > HTML
> > > > >code.  The bio in team.json is a html snippet.  So, I am just trying
> > to
> > > > >display it as a piece of formatted data.  Even in other projects, I
> do
> > > > >need
> > > > >this kind of thing quite often.
> > > >
> > > > IMO, this is use case #1: non-interactive HTML content.  We could
> just
> > > > have an HTML component with an "html" property.  But it would want to
> > > wrap
> > > > the content in a <div> or <span>
> > > >
> > >
> > > This is all I wanted.  I implemented this and it seems to work fine.
> > >
> > >
> > > >
> > > > Case #2: In MXML, someone wants to mix FlexJS elements with random
> > HTML.
> > > >
> > > > Case #3: In MXML, someone wants to put in random HTML where one child
> > > HTML
> > > > tag has an id and wants to write code that addresses that id.
> > > >
> > > > The cheap option is to only support #1 by creating an HTML component
> > with
> > > > an "html" property.  Everything else needs more thinking, IMO.
> > > >
> > >
> > > 2 and 3 sound like terrible ways to code :-)
> > >
> > >
> > > >
> > > > >
> > > > >That brings up a related concern.  We need to sanitize such html
> > content
> > > > >during runtime [1]
> > > >
> > > > IMO, those are just utility functions.  Not everybody needs
> > sanitization,
> > > > IMO, so PAYG.
> > > >
> > >
> > > Hmm, to play the devil's advocate, security should not be
> pay-as-you-go.
> > > This should be opt-in by default.  Someone will have to go the extra
> mile
> > > to turn it off.
> > >
> > > This is the sort of thing that will go out in the wild and folks will
> get
> > > affected by it soon enough.  We will then need to push out an emergency
> > > release to fix an XSS attack made possible by FlexJS.
> > >
> > > Either that or we call the default implementation 'InsecureHTMLText' or
> > > something like that.
> > >
> > >
> > > >
> > > > >>
> > > > >>Not really sure why this is required.  I am looking for usage
> > patterns
> > > > >>like
> > > > >>this:
> > > > >>
> > > > >><Panel>
> > > > >>    <HTMLText>{myFancyHTMLText}</HTMLText>
> > > > >>    <Image></Image>
> > > > >></Panel>
> > > > >>
> > > > >><TabNavigator>
> > > > >>    <Tab>
> > > > >>        <Button />
> > > > >>        <HTMLText />
> > > > >>    </Tab>
> > > > >>    <Tab><HTMLText></Tab>
> > > > >></TabNavigator>
> > > > >>
> > > > >>I guess the HTMLText component has to be a UIBase for this to work,
> > > > >>right?
> > > > >>
> > > > >>Maybe I am not understanding the point you are trying to make.
> > > > >
> > > > >The above would likely create an HTML DOM like:
> > > > >
> > > > ><Div className="Panel">
> > > > >  <Span>the HTML from myFancyHTMLText</Span>
> > > > >  <Img />
> > > > ></Div>
> > > > >
> > > > >
> > > > >Carlos asked earlier about getting rid of the Span since we all know
> > it
> > > is
> > > > >legit to have the HTML DOM look like:
> > > > >
> > > > ><Div className="Panel">
> > > > >  The HTML from MyFancyHTMLTExt
> > > > >  <img />
> > > > ></div>
> > > > >
> > > > >
> > > > >I doubt if this HTML can be generated.  Are you sure there will be a
> > > > >linebreak after the text?
> > > >
> > > > No.  I just added that to show the "children".
> > > >
> > > > >
> > > > >That looks a TextNode element.  Which is lightweight than innerHTML
> > But
> > > > >are we sure we don't want formatting for such text?  If we want to
> be
> > > able
> > > > >to format, we need to use a p or a span element.
> > > >
> > > > AIUI, a TextNode is just plain text.  If the above was:
> > > >
> > > > <div className="Panel">
> > > >   The <b>HTML</b> from <strong>MyFancyHTMLTExt</strong>.
> > > >   <img />
> > > > </div>
> > > >
> > > > There would be a TextNode for "The", a Bold node for "HTML", another
> > > > TextNode for "from" etc.
> > > >
> > >
> > > What I meant was that HTML could be achieved by using the
> > > document.createTextNode() function which creates a TextNode element.
> > i.e.
> > > no need for a wrapping element like P or Span.  Sorry for the
> confusion.
> > >
> > >
> > > >
> > > >
> > > > This doesn't feel right to me.  All of us seem tempted to want to
> > define
> > > a
> > > > scrap of complex HTML separate from other child controls in a
> > container.
> > > > If there was an HTML control, it would still add a wrapping element.
> > If
> > > > you pull of a trick where the HTML control just injects the content,
> > you
> > > > run into more complexity dealing with numElements and childIndex.  It
> > > > would be what the browser says it would be, but not quite as obvious
> > from
> > > > the MXML.
> > > >
> > > > On the other hand we have those thin-wrapping components like Div,
> and
> > A
> > > > and you ought to be a able to put in HTML content without it being
> > > wrapped
> > > > by another layer.
> > > >
> > >
> > > Yes, I am in agreement with you here.  A div or span with innerHTML is
> > more
> > > than adequate for this usecase.
> > >
> > >
> > > >
> > > > >There is a cost in both development time and runtime performance to
> > > > >generalizing this.  Should we do it?
> > > > >
> > > > >
> > > > >Hmm,  I don't think this requires a change to MXML parsing.
> > > >
> > > > I think it does.  The default property is expected to be an array of
> > > > Ichild elements.  When you have random HTML in the default property
> the
> > > > compiler won't accept XML TextNodes in many places and where it does,
> > it
> > > > tries to concatenate TextNodes which is what we don't want.
> > > >
> > >
> > > I see.  I did not realize this point.  In any case, I would advice not
> > > adding a random TextNode element like this.  This also brings more
> > security
> > > issues [1]
> > >
> > > Thanks,
> > > Om
> > >
> > > [1] http://benv.ca/2012/10/02/you-are-probably-misusing-DOM-
> > text-methods/
> > >
> > >
> > >
> > > >
> > > > Other opinions welcome...
> > > > -Alex
> > > >
> > > >
> > >
> >
>

Reply via email to