On Thu, Jul 25, 2019 at 11:39 AM Simon Urli <[email protected]> wrote:
> Hi everyone, > > I'm currently working on improving security on XWiki comments. We > already use a restricted mode in our comments but that does not cover > every possible case. In order to improve it we should also filter out > some part of the html when using the html macro. > Is the HTML macro needed in comments? Do you have a real use case for this? Wouldn't it be more simple to completly forbid HTML and script macros in comments? Thanks, Marius > > I propose: > > (a) that we use a configurable whitelist of HTML attributes that > would be allowed in the output HTML: all the other attributes would be > filtered out. > > (b) that the HTML macro is put in restricted mode for users who do > not have scripting rights. > > For (a) I'm hesitating between a whitelist or a blacklist: I assume a > blacklist would be shorter but there's also more risk of missing > something. On the contrary a configurable whitelist doesn't prevent > administrator to accept more than what we give in standard. > > A first whitelist could be (taken from: > > https://github.com/xwiki/xwiki-platform/pull/122/files#diff-c33fcb5dca86b155928768dd6e6fbf7eR146 > ) > alt, class, height, id, name, rel, scope, style, target, title, width > > Note that href is not included in this list for example. > > WDYT? > > Simon > > -- > Simon Urli > Software Engineer at XWiki SAS > [email protected] > More about us at http://www.xwiki.com >
