West Coast Style (darkain) wrote in lj_dev,
West Coast Style

  • Mood:
  • Music:

Embedded LiveJournal Recomendations

Embedded LJ is a feature I was unaware of until reading this previous post.

Anywho, while reading the page on Embedding LJ with PHP, something cought my eye. The last usage says you can use PHP includes, which can potentially be very harmful.
  include "http://www.livejournal.com/customview.cgi".

Because PHP will actually process the contents of the document, PHP can be inserted into the LJ and PHP will see it as code. This can be tested with making a post with either of the following methods:
<? echo 'test'; ?>
<?php echo 'test'; ?>

While this byself may not be harmless, as in theory only the person in control of the web site is in control of the journal as well, but if their LJ is ever comprimised, then it would easily be possible to take over their personal site as well.

My recomendations would be to completely remove the the suggestion of "include" from the page mentioned above, as well as to possibly disallow any tags that start with "<?" at all, as I know its also caused some issues in the past with some browsers falsly allowing JavaScript execution as well.

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded