15 Apr
2016
15 Apr
'16
10:56 p.m.
Hi,
I wanted to assess how difficult it might be to disable all javascript
execution in HTML macros on XWiki. My main concern would be to avoid
breaking any important XWiki pages that utilize javascript within the HTML
macro (as referenced here:
http://lists.xwiki.org/pipermail/users/2009-June/012226.html). Is there any
XWiki functionality that is still dependent on executing javascript via
{{html}}?
I also noticed in the comments on this JIRA issue
(https://jira.xwiki.org/browse/XRENDERING-27?jql=text%20~%20%22html%20macro%…),
Vincent Massol mentioned that wiki macros 2.0 will be designed in such a way
that we can override the HTML macro and filter out javascript usages. I was
wondering if this was still the best solution to disabling future javscript
usage within {{html}}. Thank you!
--
View this message in context:
http://xwiki.475771.n2.nabble.com/Disabling-javascript-in-HTML-macro-tp7599…
Sent from the XWiki- Users mailing list archive at Nabble.com.
18 Apr
18 Apr
10:25 a.m.
The HTML macro doesn't execute JavaScript code. It outputs HTML code that
ends up being interpreted by the browser. So in order to prevent the
execution of the JavaScript code that might be embedded in the HTML code
generated by the HTML macro, the options are:
(1) prevent the usage of the HTML macro (I don't know if it's possible
right now, but it would be nice to be able to add a wiki macro, HTML in
this case, to the list of wiki macros that require Script right in order to
be executed)
(2) add support for "cleaning" the JavaScript code from the output produced
by the HTML macro (enabled with a parameter)
(3) modify the HTML macro to require Script right when JavaScript code is
detected
Unfortunately none is implemented yet, afaik.
On Fri, Apr 15, 2016 at 11:56 PM, Andrew Kuang <afkuang(a)gmail.com> wrote:
Hi,
I wanted to assess how difficult it might be to disable all javascript
execution in HTML macros on XWiki. My main concern would be to avoid
breaking any important XWiki pages that utilize javascript within the HTML
macro (as referenced here:
http://lists.xwiki.org/pipermail/users/2009-June/012226.html). Is there
any
XWiki functionality that is still dependent on executing javascript via
{{html}}?
I also noticed in the comments on this JIRA issue
(
https://jira.xwiki.org/browse/XRENDERING-27?jql=text%20~%20%22html%20macro%…
),
Vincent Massol mentioned that wiki macros 2.0 will be designed in such a
way
that we can override the HTML macro and filter out javascript usages. I was
wondering if this was still the best solution to disabling future javscript
usage within {{html}}. Thank you!
--
View this message in context:
http://xwiki.475771.n2.nabble.com/Disabling-javascript-in-HTML-macro-tp7599…
Sent from the XWiki- Users mailing list archive at Nabble.com.
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
5:14 p.m.
Hi Andrew,
On 15 Apr 2016, at 22:56, Andrew Kuang
<afkuang(a)gmail.com> wrote:
Hi,
I wanted to assess how difficult it might be to disable all javascript
execution in HTML macros on XWiki. My main concern would be to avoid
breaking any important XWiki pages that utilize javascript within the HTML
macro (as referenced here:
http://lists.xwiki.org/pipermail/users/2009-June/012226.html). Is there any
XWiki functionality that is still dependent on executing javascript via
{{html}}?
I also noticed in the comments on this JIRA issue
(https://jira.xwiki.org/browse/XRENDERING-27?jql=text%20~%20%22html%20macro%…),
Vincent Massol mentioned that wiki macros 2.0 will be designed in such a way
that we can override the HTML macro and filter out javascript usages. I was
wondering if this was still the best solution to disabling future javscript
usage within {{html}}. Thank you!
While googling I’ve found this solution
http://kudzia.eu/b/2014/11/xwiki-html-macro-tag-and-unwanted-javascript/
Would that work for you?
I remember that Thomas Delafosse worked on some code to filter out javascript and other
tags from the HTML Macro but I don’t remember the status. I’ve just found this email
thread: http://lists.xwiki.org/pipermail/devs/2013-June/054519.html
Thanks
-Vincent
View this message in context:
http://xwiki.475771.n2.nabble.com/Disabling-javascript-in-HTML-macro-tp7599…
7:32 p.m.
Thank you for the responses, Vincent and Marius.
After playing around with the HTML macro, I came across a potential
solution. It appears that all the XWiki-created pages reside within certain
spaces (xwiki:Wiki, xwiki:WikiManager, etc). With that in mind, I was able
to prototype an override for the HTML macro that whitelisted specific wiki
spaces (Wiki, WikiManager, etc) and potentially lock down the creation/edit
of pages in those spaces to the Admin group. This way we would be able to
avoid conflicting with any existing Javascript usage while preventing
outside (non-admin) users from using JavaScript on their pages.
In the event that the page in question is not part of the whitelisted space
and contains Javascript, we would return an error block with an error
message instead of rendering the content passed into the HTML macro. I
wanted to get any input on if this is a viable solution or if there are any
crucial parts I may have overlooked that jeopardize this approach. Thank
you!
--
View this message in context:
http://xwiki.475771.n2.nabble.com/Disabling-javascript-in-HTML-macro-tp7599…
Sent from the XWiki- Users mailing list archive at Nabble.com.
19 Apr
19 Apr
4:07 p.m.
Hi Andrew,
On 18 Apr 2016, at 19:32, Andrew Kuang
<afkuang(a)gmail.com> wrote:
Thank you for the responses, Vincent and Marius.
After playing around with the HTML macro, I came across a potential
solution. It appears that all the XWiki-created pages reside within certain
spaces (xwiki:Wiki, xwiki:WikiManager, etc). With that in mind, I was able
to prototype an override for the HTML macro that whitelisted specific wiki
spaces (Wiki, WikiManager, etc) and potentially lock down the creation/edit
of pages in those spaces to the Admin group. This way we would be able to
avoid conflicting with any existing Javascript usage while preventing
outside (non-admin) users from using JavaScript on their pages.
In the event that the page in question is not part of the whitelisted space
and contains Javascript, we would return an error block with an error
message instead of rendering the content passed into the HTML macro. I
wanted to get any input on if this is a viable solution or if there are any
crucial parts I may have overlooked that jeopardize this approach. Thank
you!
The main issue I can see is that XWiki extensions contribute pages in various spaces. For
example the Admin Application contributes pages in the XWiki space, while the FAQ
Application contributes pages in the FAQ and FAQCode spaces. So if one extension requires
javascript you’ll need to add those spaces to your whitelist.
Another option you have is to allow javascript when the last author of the page has
programming rights for example (this is the highest security level in XWiki) or even Admin
rights. Thus installed extensions would work since you install them with a user having
Admin rights at minimum.
To check for this is easy:
@Inject
private ContextualAuthorizationManager cam;
…
if (!cam.hasAccess(Right.PROGRAM, <current doc reference>) {…}
Hope it helps,
Thanks
-Vincent
View this message in context:
http://xwiki.475771.n2.nabble.com/Disabling-javascript-in-HTML-macro-tp7599…
3125
days inactive
3129
days old
4 comments
3 participants
participants (3)
-
Andrew Kuang -
Marius Dumitru Florea -
Vincent Massol