25 Jul
2019
25 Jul
'19
4:22 p.m.
On Thu, Jul 25, 2019 at 11:39 AM Simon Urli <simon.urli(a)xwiki.com> wrote:
Hi everyone,
I'm currently working on improving security on XWiki comments. We
already use a restricted mode in our comments but that does not cover
every possible case. In order to improve it we should also filter out
some part of the html when using the html macro.
Is the HTML macro needed in comments? Do you have a real use case for this?
Wouldn't it be more simple to completly forbid HTML and script macros in
comments?
Thanks,
Marius
I propose:
(a) that we use a configurable whitelist of HTML attributes that
would be allowed in the output HTML: all the other attributes would be
filtered out.
(b) that the HTML macro is put in restricted mode for users who do
not have scripting rights.
For (a) I'm hesitating between a whitelist or a blacklist: I assume a
blacklist would be shorter but there's also more risk of missing
something. On the contrary a configurable whitelist doesn't prevent
administrator to accept more than what we give in standard.
A first whitelist could be (taken from:
https://github.com/xwiki/xwiki-platform/pull/122/files#diff-c33fcb5dca86b15…
)
alt, class, height, id, name, rel, scope, style, target, title, width
Note that href is not included in this list for example.
WDYT?
Simon
--
Simon Urli
Software Engineer at XWiki SAS
simon.urli(a)xwiki.com
More about us at http://www.xwiki.com