Yes we should be protected against that. We also should have ways to limit the rights to insert JS and scripting in pages based on similar rights are the "programming" rights.
It should be possible to run a wiki where only a certain group of people is allowed to insert that type of content in pages. This should be additionally handled at insert time (in addition of execution time like the programming rights) We also should be able to list all pages that make use of these advanced features: - programming - scripting - javascript Ludovic Sergiu Dumitriu a écrit : > Hi devs, > > Should XWiki protect itself against CSRF? See > http://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29 and > http://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet > > for details. > > In short: an attacker could use something like: > <img src="http://xwikiserver/bin/save/Some/Document?content=Hacked"/> to > alter the wiki using another user's account. Protection usually involves > embedding tokens in submitted forms and URLs. The good news is that it > can be done transparently using a LGPL tool from OWASP. The bad news is > that it does not protect against attacks from the same wiki, but only > for Cross-Site attacks. And it also breaks direct manipulation using > URLs (as an expert user, I do enter URLs directly instead of clicking > through the interface, and I won't like it if I couldn't do it anymore). > > So, WDYT? > -- Ludovic Dubost Blog: http://blog.ludovic.org/ XWiki: http://www.xwiki.com Skype: ldubost GTalk: ldubost _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
