19 Jun
2013
19 Jun
'13
4:23 p.m.
Yes using a whitelist is the only safe way to achieve it. 3.a) is still
dangerous, so I'm rather for the 3.b) (or 3.c)) solution.
I think we need at least to support this attributes : "alt", "class",
"height", "id", "name", "rel", "scope",
"style", "target", "title",
"width". Of course, I can add others to this list, if you think that they
should be supported.
Thanks,
Thomas
On Wed, Jun 19, 2013 at 4:09 PM, Sergiu Dumitriu <sergiu(a)xwiki.org> wrote:
On 06/19/2013 09:23 AM, Thomas Delafosse wrote:
Hi all,
We have some security issues with the wiki syntax : people can use
it
for including some javascript, as you can pass
javascript attributes
(onclick, etc...) in links parameters for example. As it is dangerous to
let anyone include javascript code, we should at least restrict which
attributes unprivileged users could use with the wiki syntax.
The question is, should users with PR rights still be able to include
Javascript thanks to the syntax ?
Either :
1) We restrict the wiki syntax for unprivileged users but give no
restriction for users with PR.
2) We restrict the wiki syntax for everybody.
To my mind, the wiki syntax is not designed for including javascript,
there
is the HTML macro and Skin extensions for that,
so I'm in favor of 2).
But perhaps this is something some of you use often, in which case we
should perhaps rather go for solution 1).
The {{html}} macro is not supposed to stay, but the official recommended
practice is indeed to use skin extensions for any JS/CSS need.
What do you think ?
Thanks,
Thomas
--
Sergiu Dumitriu
http://purl.org/net/sergiu
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs