User talk:Ilmari Karonen/JS injection demo

From Jmol
Jump to navigation Jump to search

Right, Jmol can invoke javascript commands, so the MediaWiki extension channels those commands.

But most pages do run javascript. What is the risk in letting the extension do so? Maybe the wikis are not allowed to run javascript under normal conditions? --AngelHerraez 20:26, 29 November 2008 (CET)

As a random, unprivileged editor, I'm not supposed to be able to run arbitrary JavaScript in your browser in the wiki's context. If I can do that, I can e.g. make edits or send e-mail to other users in your name, obtain information about your computer and your browsing habits that the wiki software doesn't normally reveal, or even trick you into giving me your wiki password, which I can then try to use to log onto other sites. The last part isn't quite as easy on the latest MediaWiki versions than it is on e.g. MediaWiki 1.12 (as used on this site), since a few of the more obvious ways to do that have been plugged, but it's certainly still possible. --Ilmari Karonen 21:22, 29 November 2008 (CET)
Ilmari, can you please check the page again? I have done some fixes in the extension and it is now updated in this wiki. No javascript should be executed by the extension now. --AngelHerraez 21:50, 8 December 2008 (CET)
Yup, seems to be fixed now. Thanks. --Ilmari Karonen 22:50, 8 December 2008 (CET)