10 Aug
2013
10 Aug
'13
8:19 p.m.
Thomas or someone else, any hint on how i can retrieve who is the owner
of the current macro block ?
I injected the Execution component in order to get the ExecutionContext
in the hope that it should help me figure out who is the owner of the
macro block and if he has programming right or not.
I cant seem to find a way to know the author...
Thanks in advance for your help !
--
Chris
On 8/10/2013 10:19, Christian Meunier wrote:
Hi Thomas,
Thanks for taking the time during your holiday to reply me back !
Ya if you can create a branch or even simply create a gist with your
secure html macro, it would be great. Otherwise in the meantime, I
will come up with a simpler version (no check against users with
programing rights) that leverage Jsoup.Whitelist...
For now, the only security PR i merged on my own is your wiki syntax
XSS one and I did put a comment for a little bug I found (Tlvenn is my
pseudo on github) :
Thanks again and enjoy your holidays !
On 8/10/2013 05:10, Thomas Delafosse wrote:
Hello Christian,
It's nice to see that you are interested in XWiki security :)
As for the secure html macro I've been working on, there's no PR made
for
it (the issue was that it was breaking a lot of panels that were using
unsafe html code thanks to this macro), but I would try to create a
branch
on github with the corresponding code when I have time. To sum up
what I've
done, I just used a library called JSoup which allows to easily deal
with
whitelists (see
http://jsoup.org/apidocs/org/jsoup/safety/Whitelist.html for
example). And as I wanted to let users with Programming Rights use
the HTML
macro without restriction, I had to put my "secure" html macro in
xwiki-platform instead of xwiki-rendering, so that my whitelist check is
not used against these users.
BTW let me know if there any issue you get with my other XSS PR and
don't
hesitate to contact me if you have questions or suggestions about
what I've
done there (or for other security matters !). As Vincent said, I'm in
holidays right now, so I could be slow to answer, but I won't forget
you ;).
Thanks !
Thomas
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs