Forum OpenACS Development: Re: Security parameters in kernel

Collapse
4: Re: Security parameters in kernel (response to 1)
Posted by Ben Koot on 12/06/04 09:32 PM
Maybe I am missing something, Wouldn't the IMG tag allow us to import pictures from photodb that autogenerates an image display url into the modules like etp and blogger? With weblogs gradualy replacing traditional homepages, it's to bad OACS doesn't allow the use of images in a simple format. If Movable type and other systems can handle this, and given the fact we have good way of storing pics on the web with photodb, it seems a bit strange other parts of oacs don't allow the use of images. It's though to convince potential clients to use OACS if security prohibits issues that people regard as pretty straight forward. Just a thought Ben
Collapse
6: Re: Re: Security parameters in kernel (response to 4)
Posted by Malte Sussdorff on 12/07/04 12:12 AM
The moment we allow image tags I'd immediately revoke Site Wide Admin from all people. Though they are a nice feature Ben, they open up a place for attacks that has been discussed quite a lot and especially with a site where anyone can post, this is a critical security issue. Take into account that I can put any URL in an image tag, including the one that gives a certain user_id SWA access.