Note that this mail is only for the html cleaner. But this white list will also be important to fix https://jira.xwiki.org/browse/XWIKI-9151.
On Thu, Jul 25, 2019 at 10:49 AM Simon Urli <[email protected]> wrote: > > > > On 25/07/2019 10:39, Simon Urli wrote: > > Hi everyone, > > > > I'm currently working on improving security on XWiki comments. We > > already use a restricted mode in our comments but that does not cover > > every possible case. In order to improve it we should also filter out > > some part of the html when using the html macro. > > > > I propose: > > > > (a) that we use a configurable whitelist of HTML attributes that > > would be allowed in the output HTML: all the other attributes would be > > filtered out. > > > > (b) that the HTML macro is put in restricted mode for users who do > > not have scripting rights. > > > > For (a) I'm hesitating between a whitelist or a blacklist: I assume a > > blacklist would be shorter but there's also more risk of missing > > something. On the contrary a configurable whitelist doesn't prevent > > administrator to accept more than what we give in standard. > > > > A first whitelist could be (taken from: > > https://github.com/xwiki/xwiki-platform/pull/122/files#diff-c33fcb5dca86b155928768dd6e6fbf7eR146) > > > > alt, class, height, id, name, rel, scope, style, target, title, width > > > > Note that href is not included in this list for example. > > IMO the href not being included in the list is related to the > possibility to write something like: > <a href="javascript:myfunction()"> > > Now I guess we could also detect the "javascript:" prefix in the href > attribute in restricted mode and discard only those, I don't see other > usecase where it could be a problem. > > > > > WDYT? > > > > Simon > > > > -- > Simon Urli > Software Engineer at XWiki SAS > [email protected] > More about us at http://www.xwiki.com -- Thomas Mortagne
