Log inImperial users Other users No account?Information onFinding a talk Adding a talk Syndicating talks Who we are Everything else |
Warnings About The Security Of Embedding Feeds In Your SiteEmbedding a feed from talks@ee.imperial into your site carries some risks. Please be sure that you understand them:
Even then, because the content of talks@ee.imperial is mainly provided by users, you must trust that they have not found any exploits in our cross site scripting protection that would allow them to run arbitrary code on your pages. (This would be a violation of their terms of use, so we hope no-one will try to do it, and any such attempts would be sanctioned severely.) In detail: You must trust talks@ee.imperialEach time someone visits a page on your that contains an embedded feed a set of javascript code is loaded. This code could be used to alter any of the content on the page that your visitor sees, or to take a copy of any cookies you have stored on that user’s computer. We won’t do this of course. But you will have to trust us. You must set the character encodingQuoted from Jon Warbrick:
Character encoding is set on your webserver. Consult its documentation for details. An escaping problemMarkus Kuhn has pointed out that the javascript feed we provide does not provide sufficient escaping of:
This may cause problems. A fix is being worked on. Questions and commentsIf you have questions about these warnings, or if you spot other possible vulnerabilities, please contact us. Thank you for Jon Warbrick of the University of Cambridge Computing Service for identifying these problems, and separate problems involving vulnerabilities to cross site scripting attacks. |