University of Cambridge > Talks.cam

  Browse A-Z

Log in

Cambridge users (raven)details Other usersdetails No account?details

Information on

Subscribing to talksdetails Finding a talkdetails Adding a talkdetails Disseminating talksdetails Help and Documentationdetails

Warnings About The Security Of Embedding Feeds In Your Site

Embedding a feed from talks.cam into your site carries some risks. Please be sure that you understand them:

  • You must trust talks.cam
  • You must have set the character encoding on pages that you serve

Even then, because the content of talks.cam is mainly provided by users, you must trust that they have not found any exploits in our cross site scripting protection that would allow them to run arbitrary code on your pages. (This would be a violation of their terms of use, so we hope no-one will try to do it, and any such attempts would be sanctioned severely.)

In detail:

You must trust talks.cam

Each time someone visits a page on your that contains an embedded feed a set of javascript code is loaded. This code could be used to alter any of the content on the page that your visitor sees, or to take a copy of any cookies you have stored on that user’s computer. We won’t do this of course. But you will have to trust us.

You must set the character encoding

Quoted from Jon Warbrick:

There is a separate issue for anyone using an embedded feed on a page that doesn’t establish its character encoding (which is foolish, but people do it) – under these circumstances Internet Explorer (up to and including IE7rc1) can be conned into interpreting the page in UTF -7. In UTF -7, the sequence + A D w A – is ‘<’ and won’t be caught by most escaping (see http://www.webappsec.org/lists/websecurity/archive/2005-12/msg00059.html for more info).

Character encoding is set on your webserver. Consult its documentation for details.

An escaping problem

Markus Kuhn has pointed out that the javascript feed we provide does not provide sufficient escaping of:
  • unescaped single/double quote
  • unescaped backslash
  • line terminator (\u000A, \u000D, \u2028,\u2029)

This may cause problems. A fix is being worked on.

Questions and comments

If you have questions about these warnings, or if you spot other possible vulnerabilities, please contact us.

Thank you for Jon Warbrick of the Computing Service for identifying these problems, and separate problems involving vulnerabilities to cross site scripting attacks.
 

© 2006-2024 Talks.cam, University of Cambridge. Contact Us | Help and Documentation | Privacy and Publicity