- going to the Blogger Layout page (via the admin panel)
- at the bottom click on 'Add a Gadget'
- add the Guag.es tracking code, that look something like this:
In fact , the code sample above (GIST from GitHub) is also an XSS injection, so one can also put script execution on normal posts:
So what are the security implications of this?
- The javascriopt code will be executed under the http://diniscruz.blogspot.com/ domain, so (in principle) any script on it should not be able to affect any other *.blogspot.com domain
- The injection of code via the blog Layout means that any blog admins can take over this blog (so that is OKish)
- What about visitors to this blog? Is there a way to 'attack' them?
- For example: will it be possible to auto-post a comment (or vote) for them? It looks like comments are made from http://www.blogger.com/comment.g?... so that could prevent it
Question: Is there a write-up somewhere on the interweb about the security implications, threads and countermeasures of allowing user Script injection in a user-driven site like blogger?
This question is very relevant to me at the moment, since the 3.1 beta version of TeamMentor allows raw HTML (and Scripts) to be used on TM Articles (this is a feature requested). And I need to figure out the best way to handle it