On Sat, 2002-11-16 at 07:09, Pierre Abbat wrote: That reminds me -- although PHP scripts do not run in our upload directory, HTML files containing JavaScript are possible. If no one catches them, a wikipedia user could be tricked into viewing the file and, if they have Javascript enabled, their login cookies could be stolen, including the password hash if 'remember password across sessions' is enabled. Three ways around this come to mind: 1) A tighter cookie path could prevent untrusted files in /upload/ from reading the cookie. But, we have three paths to worry about which need to access the cookie: / (main page, raw host url) /wiki/ (normal pages) /w/ (directly linking the script for various options; edit etc) Currently we can serve all three only by setting the cookie path to /, which lets the whole site read them. Either we need to change the paths (force / to redirect to /wiki/Main_Page and use /wiki/Foo?bar instead of /w/wiki.phtml?title=Foo&bar) or think of something else. 2) Don't allow HTML files to be uploaded, or serve them with plain text mimetype. This could be annoying. 3) Allow HTML files to be uploaded, but attempt to strip out javascript. This could be annoying. -- brion vibber (brion @ pobox.com)