24 Jun
2013
24 Jun
'13
7:16 p.m.
On 06/24/2013 10:41 AM, Thomas Delafosse wrote:
Hi all,
To achieve the implementation of this solution (see
https://github.com/tdelafosse/xwiki-rendering/compare/XSS-protected and
https://github.com/tdelafosse/xwiki-platform/compare/XWiki-9151 for more
details), I've had to break a few APIs. Here are the changes that make
CLIRR complain :
1) I've added a getExtraAttributes() method in the RenderingConfiguration
2) I've added a createSecureRenderer(WikiPrinter) method in the
PrintRendererFactory interface, in order to be able to get a "secure"
renderer from block renderers
3) I've also had to change XMLWikiPrinter and XHTMLWikiPrinter into
interfaces. They are implemented by a "secure" and a "default"
XMLWikiPrinter (resp. XHTMLWikiPrinter). The "default" printer being the
one defined before.
Does this seem OK to you ?
Do we need the old printers?
I guess that as an independent rendering engine, it would be good to
have the ability to have a full wiki->XDOM->XHTML pipeline.
As a secure independent rendering engine, it would also be good to have
a secure XHTML output, without making the (API) users do extra work to
get the security working.
Thanks,
Thomas
On Fri, Jun 21, 2013 at 2:34 PM, Thomas Delafosse <
thomas.delafosse(a)xwiki.com> wrote:
> I had in mind to authorize any attribute matching the following regex
> "^[a-zA-Z]+:[a-zA-Z]+$". With that, any prefixed attribute (without
special
> chars) would be accepted, so I don't see any usecase for enabling some
> extra regex, while it can be useful to authorize some extra attributes.
--
Sergiu Dumitriu
http://purl.org/net/sergiu