Re: [xwiki-devs] Security concerns

Thanks Vincent for the heads up ! Any chance Marius or some other dev can have a look the XSS in wiki Syntax PR ? I have tested it, beside the bug I have spotted, it worked just fine for me. Would be nice to include this one in 5.2 because right now, it just too trivial to do XSS injection with the wiki syntax..

Thanks ! -- Chris On 9/17/2013 14:43, Vincent Massol wrote: > Hi Christian, > > On Sep 17, 2013, at 8:16 AM, Christian Meunier <christian.meunier(a)magelo.com> wrote: > >> Hi Thomas, >> >> Hope you had good holidays ! >> >> I was wondering if you could give me an update on the work you started for the html macro ? >> Btw, have you noticed my comment on https://github.com/xwiki/xwiki-rendering/pull/6#discussion_r5632662 ? >> >> Also, question for the devs, I see that the 5.2 is near the corner and yet many of Thomas's security PRs are still pending.. > Several have been applied (by Marius). > >> Shouldnt those security PRs be a priority ? Is there a roadmap/target for those ? > FYI ThomasD was working lately on signed scripts which will fix a lot of current potential security issues. This is a big piece of work. I said "was" because Thomas is now going abroad in the context of his school studies and will probably be less available. The good news is that Denis Gervalle has agreed to carry on his work and more generally to focus on security issues for the coming 3 months at least. > > So you should see progress in this area :) > > Thanks > -Vincent > >> Thanks ! >> >> -- >> Chris >> >> On 8/10/2013 05:10, Thomas Delafosse wrote: >>> Hello Christian, >>> >>> It's nice to see that you are interested in XWiki security :) >>> As for the secure html macro I've been working on, there's no PR made for >>> it (the issue was that it was breaking a lot of panels that were using >>> unsafe html code thanks to this macro), but I would try to create a branch >>> on github with the corresponding code when I have time. To sum up what I've >>> done, I just used a library called JSoup which allows to easily deal with >>> whitelists (see http://jsoup.org/apidocs/org/jsoup/safety/Whitelist.html for >>> example). And as I wanted to let users with Programming Rights use the HTML >>> macro without restriction, I had to put my "secure" html macro in >>> xwiki-platform instead of xwiki-rendering, so that my whitelist check is >>> not used against these users. >>> BTW let me know if there any issue you get with my other XSS PR and don't >>> hesitate to contact me if you have questions or suggestions about what I've >>> done there (or for other security matters !). As Vincent said, I'm in >>> holidays right now, so I could be slow to answer, but I won't forget you ;). >>> >>> Thanks ! >>> >>> Thomas