[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Hyperlink in ContactInfo



Ilka Schulz wrote:
> Hi,
> 
> I wrote a little PHP-based contact page and put the link to the
> /ContactInfo/ of my relay's /torrc/. I added some HTML tags (/<a
> href=...> ... </a>/) to let Tor Metrics show the link as such; but, of
> course, the string is sanitized properly, so the /Contact/ field on Tor
> Metrics shows the literal HTML tags.
> 
> Is there any chance to show the hyperlink on Tor Metrics, so that
> visitors can directly click on it? The same would be interesting for
> clear text email addresses.
> 
> Regards,
> Ilka
> 

NACK of course HTML tags / javascript is sanitized otherwise anyone can
inject HTML or javascript code in our metrics webpage which is super
bad. One attacker can infect all visitors of our metrics webpage, or do
various other stuff we don't want.

There is no way to implement such a feature unless someone manually
reviews each relay's ContactInfo HTML/javascript tags in that string to
make sure there is nothing bad in it, and then keep an eye on it on
every descriptor refresh. This is if course out of the question, nobody
has the time to do it, it opens the door for mistakes and security risks
and it gives us absolutely no gains.

Of course there is a solution where metrics page will detect link format
like : http:// , https://, domain.tld, subdomain.domain.tld and show it
as hyperlink on the metrics webpage, but I recommend against this as
well as this way our metrics webpage can become the referrer for some
fishy websites attackers choose to put in relay's contact info.

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays