![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
![[site community profile]](https://www.dreamwidth.org/img/comm_staff.png)
Enable Embedding GitHub Gists as Media in Posts
Title:
Enable Embedding GitHub Gists as Media in Posts
Area:
posting, media
Summary:
Enable adding GitHub Gists, which are embedded as scripts, in posts, via the 'add media' option so that DW users can post short blocks of formatted source code for discussion and review.
Description:
Gists are text files hosted on GitHub enabling developers to post short snippets of code for review and comment.
GitHub provides a way to embed a gist on a site, as a script file:
<script src="https://gist.github.com/3290622.js?file=foo.js"></script>
However, DW wisely prevents scripts from being embedded as either media or post content because XSS :)
But adding gist.github.com to a whitelist would enable coders of all skill levels to quickly post nicely formatted snippets of code for review, discussion, and comment.
This suggestion:
Should be implemented as-is.
13 (24.5%)
Should be implemented with changes. (please comment)
5 (9.4%)
Shouldn't be implemented.
5 (9.4%)
(I have no opinion)
30 (56.6%)
(Other: please comment)
0 (0.0%)
no subject
no subject
no subject
no subject
1) uncaught XSS or CSRF vulnerablity in embedded Gists which would allow attacker to take actions on behalf of the logged in user, or gain access to session cookies.
2) Information leakage, that is GitHub's logs would show a request for the gist embed with xxx.dw.org as referer, allowing an adversary to correlate actions across sites. However, this is the same risk as exposed by embedding media such as YouTube.
no subject
no subject
What I said, is that if there was a flaw in GitHub's code that propagated a XSS or CSRF, then we would have an exposure.
That is not the same as allowing arbitrary scripts which could be intentionally written with a XSS or CSRF vector.
no subject
*changes vote*
no subject
And I would like to have an audit of GitHub's Gist embedding implimentation before proceeding. A review can be a go/no-go part of the process.
no subject
no subject
no subject
no subject
If (you know a little HTML)
show (your work)
endif
no subject
no subject
And since DW has moved the open source portion of the project to GitHub, devs would already be using GitHub.
An alternative to Gists would be to look at adding a code formatting library such as http://code.google.com/p/google-code-prettify/ and providing a hook via custom markup.
no subject
no subject
no subject
no subject
I'd be all for allowing embeds that simply display as text. (or am I being hopelessly naive in making this an easy distinction?)
no subject
It is not intended to allow embedding arbitrary scripts in posts.
Example Gist
The gist itself is the text of a self-executing JavaScript function:
They are using repeated document.writes to embed the escaped text, and they refer to a stylesheet they write to the document. I'm boggled that they are just adding the link to the CSS instead of finding the document head and adding it there.
no subject
no subject