Dismiss Notice
Join Physics Forums Today!
The friendliest, high quality science and math community on the planet! Everyone who loves science is here!

Can we upload XML?

  1. Jun 13, 2007 #1

    honestrosewater

    User Avatar
    Gold Member

    I just went to attach an XML file to a post and found out that neither it nor HTML is allowed. Has anyone asked for this yet? I think it would be nice (obviously :biggrin:).
     
  2. jcsd
  3. Jun 14, 2007 #2

    -Job-

    User Avatar
    Science Advisor

    That would be a security hole. If you were able to upload an html/xml page then the uploaded html page, residing on the physicsforums.com server, would have access to site cookies and so might be used for cross-site scripting and stealing of sessions.
     
  4. Jun 14, 2007 #3

    honestrosewater

    User Avatar
    Gold Member

    Oh. Hm. Well, attachments have to be approved anyway, so is there an easy way to check such files as part of the approval process?

    The problem is that browsers will execute scripts in html and xml files, is that it? Are you just worried about client-side scripting? If that's it, is there another way to include scripts in an html or xml file other than with html's script element?

    You'd want to also check any files that get fetched and included. Perhaps there is a safe way to just render the page and complain if it does something bad?

    Or can you just store them somewhere special and restrict them that way?

    It's not a big deal. I'm just wondering. If I could help at all, I'd be glad to.
     
  5. Jun 14, 2007 #4

    Evo

    User Avatar

    Staff: Mentor

    When you go to attachments, it lists the approved file types.
     
  6. Jun 14, 2007 #5
    You could always upload the files as .txt files (XML is just text right?), and have the person/s change the extensions themselves (just go to notepad and save the file with the desired extension).
     
  7. Jun 15, 2007 #6

    loseyourname

    User Avatar
    Staff Emeritus
    Gold Member

    Just post the code and we'll figure out what the file was supposed to be.
     
  8. Jun 15, 2007 #7

    honestrosewater

    User Avatar
    Gold Member

    Right, I'm wondering if xml and html can be added to the list.

    Yeah, that's probably what I'll do if this doesn't work.
     
  9. Jun 15, 2007 #8

    honestrosewater

    User Avatar
    Gold Member

    I don't understand. The file is XML. This particular file is just a list, but the list has 330 items, so I didn't want to post it as a regular post. I had compiled the list in XML anyway, so I was just going to attach the file (well, I added some inline CSS to it so it would be prettier too).
     
  10. Jun 15, 2007 #9

    loseyourname

    User Avatar
    Staff Emeritus
    Gold Member

    What I meant was that readers could parse the code in their heads and infer what the list would look like. dduardo used to joke about doing that using a plain-text browser that didn't parse any code. I was also, of course, joking. Although it is certainly possible to parse code in one's head, I doubt anyone really wants to.

    But, if you want, you can always post the file somewhere else and post a link to it here. Free web space that your ISP gives you is useful for these types of dilemmas. I'm sure you can figure some way to make the list using an approved file type, too.
     
  11. Jun 15, 2007 #10

    honestrosewater

    User Avatar
    Gold Member

    You really should warn people when you're doing that.
     
  12. Jun 15, 2007 #11
    The most obvious solution would be to use an external filehost.
     
  13. Jun 15, 2007 #12

    honestrosewater

    User Avatar
    Gold Member

    Right, and that option is also there for the other types of files that PF does allow. Storing it on PF is more convenient. Also, I tried two sites and searched for more, and none of them gave direct links, so you can't just visit the URL and render the file. You have to save it locally (after possibly waiting for a timer and watching ads). Most image-hosting sites don't make you do that.
     
  14. Jun 15, 2007 #13

    -Job-

    User Avatar
    Science Advisor

    There's the script tag, iframes and framesets, links that start with "javascript:", events such as onload, onmouseover, etc. All of these would need to be parsed out.
     
  15. Jun 15, 2007 #14
    There are several filehosts that do not require you to watch ads before downloading, such as

    http://fileupyours.com/

    I've used them for a while without any problems.
     
  16. Jun 15, 2007 #15

    honestrosewater

    User Avatar
    Gold Member

    Ah, okay then. Just out of curiosity, is there a way to simply tell a script that the cookies don't exist?

    I saw the HttpOnly flag, but FF (for one) won't support it until version 3.

    Also, is a cookie's host (the "author" of the cookie or whatever) identified by only the domain name or does it use fully-qualified domain name or does it end up using IP addresses, does it keep track of ports, etc.? I'm mildly confused about how this all works, but is there no way to do it with, say, virtual hosting and subdomains or something? Just store the suspect files in a different document root? I don't care about actually doing it. I'm just wondering if there is a solution.

    Thanks for the link, Moridin. :smile:
     
  17. Jun 15, 2007 #16

    Moonbear

    User Avatar
    Staff Emeritus
    Science Advisor
    Gold Member

    I don't understand. If it's just a list, why can't you put it in a text file? What advantage would using XML give you that would justify using it here? I'm not totally sure what one does with XML anyway. As for HTML, it should be pretty obvious that there is just too much someone can do with it that would be malicious to allow that here. You have to remember that for a moderator to decide to approve an attachment, we have to view it first, on our own computers, and we're certainly not going to risk our computers just for some fancy bells and whistles in posts. As it is, I don't even like that zip files are allowed because you just never know what's in one of those until it's unzipped. We toss those around like hot potatoes, seeing who is bravest to download and open to approve the attachment.
     
  18. Jun 15, 2007 #17

    -Job-

    User Avatar
    Science Advisor

    When you set a cookie by default the cookie's domain is the domain the script came from, but you can specify a path so that only scripts in that path have access to the cookie. PF's cookie is global to the domain because there are many forum folders that need access to the cookie.

    Even if you move PF to /vb and create an upload folder at /upload and set the cookie's path to www.physicsforums.com/vb, though the html file in the upload folder doesn't have direct access to the site's cookies, since it's still in the same domain it would be able to access the cookie via an iframe pointing to the main PF page. A page can access and manipulate scripts on a page in one of its iframes as long as both pages are in the same domain, which is the case. Browser security varies of course.
     
  19. Jun 15, 2007 #18

    honestrosewater

    User Avatar
    Gold Member

    You use it to structure information (which makes the information easier to process, more valuable, etc.). XML is similar to HTML. They're markup languages with the same parent, SGML. You can clean up HTML a little bit to make all HTML documents valid XML documents (that is what XHTML is). XML is like a metalanguage in which you can define different vocabularies (or schemas, or document types), and XHTML is one of those vocabularies. My list is an instance of a LaTeX-inspired schema that I made up. You can actually do more with XML than you can with HTML, so you can just imagine teh interwwwebs written in plain text instead of HTML to get an idea of some of what you lose.

    Yes, I can of course write the list as plain text. The only thing that I gain in this case is nicer formatting and not having to transform it from the XML that I already have it stored as. But I wasn't asking about a one-time approval for this one file. (Actually, I personally don't gain anything since I have and can view the file already. :tongue2:)
    Oh, I didn't even realize that. Yes, now that I've asked, I am aware of the problems. I certainly don't expect anyone to take those kinds of risks. I was just asking.


    -Job-, Sweet. Thanks for the info. :smile:
     
  20. Jun 15, 2007 #19

    honestrosewater

    User Avatar
    Gold Member

    Sorry, I was half-asleep this morning. What if you went the other way, with subdomains rather than subdirectories? Say, uploads.physicsforums.com for the uploads and www.physicsforums.com as is. And then maybe just alias it, say, if using Apache:

    NameVirtualHost *

    <VirtualHost *>
    ServerName www.physicsforums.com
    ServerAlias uploads.physicsforums.com
    DocumentRoot /whatever
    </VirtualHost>

    Would that work? Can a script on uploads.physicsforums.com access cookies from www.physicsforums.com?
     
  21. Jun 15, 2007 #20

    -Job-

    User Avatar
    Science Advisor

    I'm not sure if the iframe vulnerability would be there for different subdomains, i've never tried that.

    I'm not sure of this but i imagine that when you upload a file vBulletin doesn't add a direct link to the file in the post, rather it probably links to something like download.php?id=file12345 which returns the file, and then the uploaded html file's location would be www.physicsforums.com/download.php?id=file12345. But i'm not positive of this.
     
Know someone interested in this topic? Share this thread via Reddit, Google+, Twitter, or Facebook

Have something to add?



Similar Discussions: Can we upload XML?
  1. Xml Rss? (Replies: 3)

  2. Can we glue text? (Replies: 5)

  3. Can we have chat please (Replies: 22)

Loading...