Definitely 2, since otherwise the syntax would be inconsistent.
The next question is:
3) whitelist: specify which attributes are allowed
4) blacklist: specify which attributes are forbidden
I'd go for 3), since the on* attributes vary depending on browser and
browser version, and will continue to grow as new HTML/JS APIs appear.
3a) list all currently known HTML attributes (except event ones)
3b) list only the attributes that we want to allow to use
3c) list HTML attributes, but allow all namespaced attributes for
extensibility (xwiki: prefix for our own usage, rdf: and rdfs: for
semantic stuff, role: for accessibility, etc)
For 4), instead of a specific list of attributes, we could blacklist
attributes that start with on*.
On 06/19/2013 09:23 AM, Thomas Delafosse wrote:
Hi all,
We have some security issues with the wiki syntax : people can use it
for including some javascript, as you can pass javascript attributes
(onclick, etc...) in links parameters for example. As it is dangerous to
let anyone include javascript code, we should at least restrict which
attributes unprivileged users could use with the wiki syntax.
The question is, should users with PR rights still be able to include
Javascript thanks to the syntax ?
Either :
1) We restrict the wiki syntax for unprivileged users but give no
restriction for users with PR.
2) We restrict the wiki syntax for everybody.
To my mind, the wiki syntax is not designed for including javascript, there
is the HTML macro and Skin extensions for that, so I'm in favor of 2).
But perhaps this is something some of you use often, in which case we
should perhaps rather go for solution 1).
What do you think ?
Thanks,
Thomas
--
Sergiu Dumitriu
http://purl.org/net/sergiu