Re: [xwiki-devs] Security concerns

Hello Christian, It's nice to see that you are interested in XWiki security :) As for the secure html macro I've been working on, there's no PR made for it (the issue was that it was breaking a lot of panels that were using unsafe html code thanks to this macro), but I would try to create a branch on github with the corresponding code when I have time. To sum up what I've done, I just used a library called JSoup which allows to easily deal with whitelists (see http://jsoup.org/apidocs/org/jsoup/safety/Whitelist.html for example). And as I wanted to let users with Programming Rights use the HTML macro without restriction, I had to put my "secure" html macro in xwiki-platform instead of xwiki-rendering, so that my whitelist check is not used against these users. BTW let me know if there any issue you get with my other XSS PR and don't hesitate to contact me if you have questions or suggestions about what I've done there (or for other security matters !). As Vincent said, I'm in holidays right now, so I could be slow to answer, but I won't forget you ;). Thanks ! Thomas On Wed, Aug 7, 2013 at 5:32 PM, Vincent Massol <vincent(a)massol.net> wrote: