Dear list members,

because of the feedback the Technical Board received after our last email regarding the changed behavior of media objects, we had a new and fruitful discussion on the matter.

As an immediate/intermediate solution, it is now possible do define a black list of file extensions in the administration of media objects. Files of type 'html' are forbidden by default now. You would be required to change this setting in case HTML files are important for your scenarios.

If you still plan to allow HTML files and are afraid of the security issue: * It should NOT be possible to steal the user's session cookie because session cookies in ILIAS are marked as 'httponly' and cannot be accessed by JavaScript code located in the uploaded HTML files (media objects). * Nevertheless the user's session cookie will STILL be sent in case a malicious script requests (e.g. via AJAX/XmlHttpRequest) ILIAS server-side scripts, so these requests are sent in the context of the user to whom the media object is presented.

As a medium-term solution, the Technical Board highly appreciates and supports the introduction of methods like 'Subdomain Isolation' (presented by Pascal Grube last year) which ensures both: The possibility to upload HTML/JavaScript files and a certain level of security. We will get in contact with stakeholders interested in funding and further pushing the implementation of this.

Best regards, Michael Jansen

on behalf of the ILIAS e.V. and the Technical Board