[xwiki-devs] [Proposal] Use an attribute whitelist for HtmlCleaner restricted mode

Hi everyone, I'm currently working on improving security on XWiki comments. We already use a restricted mode in our comments but that does not cover every possible case. In order to improve it we should also filter out some part of the html when using the html macro. I propose: (a) that we use a configurable whitelist of HTML attributes that would be allowed in the output HTML: all the other attributes would be filtered out. (b) that the HTML macro is put in restricted mode for users who do not have scripting rights. For (a) I'm hesitating between a whitelist or a blacklist: I assume a blacklist would be shorter but there's also more risk of missing something. On the contrary a configurable whitelist doesn't prevent administrator to accept more than what we give in standard. A first whitelist could be (taken from: https://github.com/xwiki/xwiki-platform/pull/122/files#diff-c33fcb5dca86b15…) alt, class, height, id, name, rel, scope, style, target, title, width Note that href is not included in this list for example. WDYT? Simon -- Simon Urli Software Engineer at XWiki SAS simon.urli(a)xwiki.com More about us at http://www.xwiki.com