16 items | 106 visits
developer documentation for various social networking platforms
Updated on Apr 22, 09
Created on Mar 21, 08
Category: Computers & Internet
URL:
OpenSocial
hi5 auth token example. java calls to add auth token as a cookie and get user profile info
Which users a user can write Persistence data to is a policy decision that is made by each OpenSocial container. Currently, the "default" policy that most active containers have implemented is that an application can only write to VIEWER data, and only if the VIEWER has the application installed. This policy is fairly restrictive to prevent malicious users from writing data to arbitrary users, so it is expected to be the most commonly implemented Persistence data policy. This article was written under the assumption that data will only be writeable to VIEWERs with the application installed, and presents advice on how to structure applications around this limitation.
It is certainly possible that some containers may implement a more relaxed data policy that allows users to write data to other users' Persistence data. Additionally, some containers may choose to give their users the ability to set ACLs on their Persistence data. In this model, a user would be able to whitelist other user accounts to read from or write to their own Persistence data.
Since application data is visible to more than just the user who writes it, there is a danger that any given application data may contain content from a malicious user. For this reason, the OpenSocial specification stipulates that application data must be HTML escaped by the container before being returned to the application.
This will prevent situations where application data output without being filtered by the application first. Consider the following data string:
"<img style=\"width: 1; height: 1;\" src=\"adsfa\" onerror=\"alert('hello')\" />"
If the above string is put directly into the innerHTML
property of a page element, a popup box containing hello will be displayed. While this sample is harmless, allowing JavaScript from other users to execute without being filtered is a security risk. Therefore, if that string is stored in application data, it will be returned as:
"<img style="width: 1; height: 1;" src="adsfa" onerror="alert('hello')" />"
which, if put into the innerHTML
property of an element, will simply print the <img> tag and the alert() code, instead of executing the JavaScript directly.
If you need to undo this encoding operation for some reason, you may use the gadgets.util.unescapeString
function to return the escaped string's original form. Be careful about displaying unescaped data, though, for the reason explained above.
facebook viral, Facebook Publishes “Insider’s Guide To Viral Marketing”
ence. One of these is the ability to right click on a link and open it in a new window/tab. It works of course, but not as most of our users expect it to. Fbml is more reliable also. It’s just fewer moving parts and less complicated. It’s not a pretty sight when your page loads, but all the user and other information you pull via Connect is blank. I’d rather the whole page fail, at least then more users recognize that it’s a facebook issue. When Connect fails they are more likely to think it’s us. The bookmarking thing is a pain also, not a good
16 items | 106 visits
developer documentation for various social networking platforms
Updated on Apr 22, 09
Created on Mar 21, 08
Category: Computers & Internet
URL: