Monthly Archives: December 2010

Waarom Wikileaks uw steun nodig heeft

Wikileaks, de klokkenluider-site van Julian Assange, ligt zwaar onder vuur van enkele machtige regeringen, van al dan niet door geheime diensten gedirigeerde DDOS-aanvallen en van grote bedrijven als Amazon, EveryDNS en Paypal die al dan niet onder druk van de Amerikaanse regering hun diensten aan Wikileaks weigeren.

Omdat

  • Wikileaks al enkele bijzonder vuile zaakjes aan het licht bracht
  • meer algemeen klokkenluiders een belangrijke rol hebben in het “accountable” houden van elke organisatie (en dus ook regeringen)
  • de rechtstreekse en onrechtstreekse pogingen tot censuur van Wikileaks één van de grootste bedreigingen voor onafhankelijke journalistiek en vrije meningsuiting op het web zijn

… daarom ben ik ervan overtuigd dat Wikileaks gesteund moet worden.

Wat ge kunt doen? Wikileaks financieel steunen, een mirror opzetten en Wikileaks liken op Facebook of followen op Twitter.  En hou uw vrienden en volgelingen vooral op de hoogte van de ontwikkelingen in deze onfrisse cyber-spionage zaak, want “The whole world is watching” is nog steeds een krachtig drukkingsmiddel!

Een paar interessante links voor wie meer wilt lezen:

Google Security says “Thanks Frank”

A few weeks ago I received the following in a mail from Google;

As a small token of appreciation for helping keep Google’s users safe and secure, we’d like to credit you on our website.

And indeed, yesterday my name was added to the “Honorable Mention” paragraph on Google’s Security Hall of Fame.

I don’t consider myself a security expert by any measure (although I am very interested in web app security) and I discovered that vulnerability in the iGoogle Facebook gadget merely by chance, but it’s nice to see my name (and a link to this blog) up there! Thanks for thanking me Google!

Venus doesn’t love noscript

Damn, Venus doesn’t love noscript!

You’ve got no clue what I’m rambling about, do you? Well, allow me to explain;

So now you know the context, let me reiterate; Venus doesn’t treat noscript the way it should! It not only strips out javascript as it should (are you listening tt-rss?) but it replaces noscript-tags and all HTML inside with escaped HTML (with HTML-entities actually). And that, my beloved ones, means that the HTML that WP YouTube Lyte generates, doesn’t work properly on Venus-based planets.

So I started looking at the Venus source and mailed with Planet Grep’s Wouter Verhelst to solve this issue. At first sight the solution seemed pretty straightforward; Venus shouldn’t ‘escape’ noscript but should instead just strip the opening and closing noscript-tag. Wouter installed a small sed-filter I wrote and added noscript to the whitelist of Venus’s sanitizer (which is based on Universal Feed Parser) and … it did not work.

The problem apperantly is with another sanitizing component in Venus; html5lib. Sam Ruby, the developer of Venus, wrote on the mailinglist;

There are multiple sanitization passes involved here. […] The html5parser seems to think that noscript is to be parsed as text only, which would result in the behavior that you describe.  Looking at the current HTML5 spec, it appears that this does not match the expected behavior — so perhaps that changed too.

So I started looking at html5lib and … well, I’m stuck, html5lib is a pretty complex beast for a smalltime non-developer to dive into. So earlier today I turned to the html5lib discussion list to ask how sanitization can be configured not to escape noscript, let’s hope someone will enlighten me. Because until then those poor Planet Greppers won’t be able to see (a thumbnail of) Al Jarreau’s great version of Take Five way back in 1976:

Al Jarreau 1976 -Take Five

Watch this video on YouTube.