tags:

views:

108

answers:

2
+1  Q: 

Needed: flexible yet secure user HTML embedding technique

Hi,

Our software manages libraries, museums, archives etc. We'd like to let the users (namely the catalogers, not the visitors) add some embedded content such as Google maps, YouTube videos etc. We'd like the solution to be as flexible as possible, as each embedded content provider has it's own format. OTOH, we'd rather not allow the users to enter raw HTML, as this will impose both a XSS security risk and in case of erroneous HTML might screw up our surrounding web page.

I started looking into Google Maps today, and couldn't find a way to handle it. I don't want to let the users just copy the embedding HTML snippet into an item; I can't embed the link URL provided, as Google won't allow it; and I can't let the user specify the coordinates, as I don't want to use the Google Maps JS API (which means providing a built-in solution which we'll have to maintain).

The question in not specifically about Google Maps, but Google Maps is quite representative. I'd love to hear suggestions for a flexible-yet-secure HTML embedding technique.

Thanks, Eran

+1  A: 

markdown or other lightweight markup language for markup; custom macros for embedding allowed snippets (see like it is done on wordpress.com to embed youtube videos)

jetxee  2009-01-25 13:50:23
+2  A: 

Would Caja work for you?

Caja (pronounced "KA-ha") is "virtual iframes": it allows you to put untrusted third-party HTML and JavaScript inline in your page and still be secure. Caja

  • gives stricter control over what the code can do:
    • no redirects to phishing pages: the window object the untrusted code has is a fake one created by the containing page
    • no malware: all requests to URLs are proxied
    • no XSS: dynamic HTML sanitization
  • allows the untrusted code more power than is safe to give to code currently in iframes. Here are some possibilities:
    • floating frames ("info windows")
    • frames don't have to be rectangular
    • frames can communicate without the current awkward protocols
    • a reader could broadcast geographic information about the current article; a maps gadget jumps to the location, while a news gadget gets local stories and a weather gadget pulls up the weather
    • similarly for financial info or entertainment info
    • an extensible syntax highlighter could have plugins that can mark up text but not leak the contents to another website
    • can be a bit channel (can only send information) or a code channel (can send functions)
    • hosting page can control who talks to whom
Ates Goral  2009-01-25 13:58:48
Thanks, I wasn't aware of that!However, although MySpace and Yahoo are said to be using it, it doesn't seem to be ready for wide use. Moreover, I tried running Google maps in its demo applet, and couldn't make it work. I might have missed something, but is it really productive?
eran  2009-01-25 16:12:21

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?