19 Jun
2013
19 Jun
'13
4:09 p.m.
On 06/19/2013 09:23 AM, Thomas Delafosse wrote:
Hi all,
We have some security issues with the wiki syntax : people can use it
for including some javascript, as you can pass javascript attributes
(onclick, etc...) in links parameters for example. As it is dangerous to
let anyone include javascript code, we should at least restrict which
attributes unprivileged users could use with the wiki syntax.
The question is, should users with PR rights still be able to include
Javascript thanks to the syntax ?
Either :
1) We restrict the wiki syntax for unprivileged users but give no
restriction for users with PR.
2) We restrict the wiki syntax for everybody.
To my mind, the wiki syntax is not designed for including javascript, there
is the HTML macro and Skin extensions for that, so I'm in favor of 2).
But perhaps this is something some of you use often, in which case we
should perhaps rather go for solution 1).
The {{html}} macro is not supposed to stay, but the official recommended
practice is indeed to use skin extensions for any JS/CSS need.
What do you think ?
Thanks,
Thomas
--
Sergiu Dumitriu
http://purl.org/net/sergiu