24 Jun
2013
24 Jun
'13
4:41 p.m.
Hi all,
To achieve the implementation of this solution (see
https://github.com/tdelafosse/xwiki-rendering/compare/XSS-protected and
https://github.com/tdelafosse/xwiki-platform/compare/XWiki-9151 for more
details), I've had to break a few APIs. Here are the changes that make
CLIRR complain :
1) I've added a getExtraAttributes() method in the RenderingConfiguration
2) I've added a createSecureRenderer(WikiPrinter) method in the
PrintRendererFactory interface, in order to be able to get a "secure"
renderer from block renderers
3) I've also had to change XMLWikiPrinter and XHTMLWikiPrinter into
interfaces. They are implemented by a "secure" and a "default"
XMLWikiPrinter (resp. XHTMLWikiPrinter). The "default" printer being the
one defined before.
Does this seem OK to you ?
Thanks,
Thomas
On Fri, Jun 21, 2013 at 2:34 PM, Thomas Delafosse <
thomas.delafosse(a)xwiki.com> wrote:
I had in mind to authorize any attribute matching the
following regex
"^[a-zA-Z]+:[a-zA-Z]+$". With that, any prefixed attribute (without special
chars) would be accepted, so I don't see any usecase for enabling some
extra regex, while it can be useful to authorize some extra attributes.