gaurav bhatia's Library tagged opensocial →  View Popular

Which users a user can write Persistence data to is a policy decision that
is made by each OpenSocial container. Currently, the "default" policy that
most active containers have implemented is that an application can only write to
VIEWER data, and only if the VIEWER has the application installed.
This policy is fairly restrictive to prevent
malicious users from writing data to arbitrary users, so it
is expected to be the most commonly implemented Persistence data policy.
This article was written under the assumption that data will only be
writeable to VIEWERs with the application installed, and presents
advice on how to structure applications around this limitation.

It is certainly possible that some containers may implement
a more relaxed data policy that allows users to write data to other users'
Persistence data. Additionally, some containers may choose to give their
users the ability to set ACLs on their Persistence data. In this model,
a user would be able to whitelist other user accounts to read from or write
to their own Persistence data.

Character escaping

Since application data is visible to more than just the user who writes it,
there is a danger that any given application data may contain content from
a malicious user. For this reason, the OpenSocial specification stipulates
that application data must be HTML escaped by the container before being
returned to the application.

This will prevent situations where application data output without being
filtered by the application first. Consider the following data string:

"<img style=\"width: 1; height: 1;\" src=\"adsfa\" onerror=\"alert('hello')\" />"

If the above string is put directly into the innerHTML
property of a page element, a popup box containing hello will be
displayed. While this sample is harmless, allowing JavaScript from other
users to execute without being filtered is a security risk. Therefore, if
that string is stored in application data, it will be returned as:

"<img style="width: 1; height: 1;" src="adsfa" onerror="alert('hello')" />"

which, if put into the innerHTML property of an element, will
simply print the <img> tag and the alert() code, instead of
executing the JavaScript directly.

If you need to undo this encoding operation for some reason, you may use
the gadgets.util.unescapeString function to return the escaped
string's original form. Be careful about displaying unescaped data, though,
for the reason explained above.