我目前运行几个WordPress的MU安装。
我的用户需要发布视频的能力(不仅仅是Youtube,而是来自我们自己的Flash Media Server)。
默认情况下,WordPress会去掉<embed>标签。
现在,我绝不会允许用户在他们的帖子中包含PHP或JavaScript,我是否必须担心Flash漏洞?
嵌入标签有多危险,我应该担心给他们的能力吗?
谢谢
I currently run several Wordpress MU installations.
My users are asking for the ability to post video (not just Youtube, but from our own Flash Media Server).
By default, Wordpress strips out <embed> tags.
Now, I would never allow users to include PHP or JavaScript in their posts, do I have to worry about Flash vulnerabilities?
How dangerous is the embed tag and should I worry about giving them the ability?
Thanks
最满意答案
一般来说,Flash在防止重点诱捕等方面走过了很长的路要走。
你可以做的最安全的事情就是混淆嵌入代码,并让它们只提供一个SWF URL,这样他们就不会像嵌入对象那样拉动任何幻想,比如允许跨脚本等等。
特别是,你想要注意潜在的黑客试图通过使用AS3的ExternalInterface.call()函数从你的博客JS文件中调用JS函数......这肯定会很糟糕。 不过,我认为你可以使用嵌入技术来关闭它。
Generally speaking, Flash has come a long way in terms of preventing exploits like key trapping, etc.
The safest thing you could do would be to obfuscate the embedding code and have them only supply a SWF URL, that way they couldn't pull anything fancy in the embed object like allowing cross scripting, etc...
In particular, you want to watch out for things like potential hackers trying to call JS functions from your blog JS files by using AS3's ExternalInterface.call() function... that would definitely be bad. However I think you can use embed techniques to turn this off.
更多推荐
发布评论