On Sep 17, 2013, at 10:26 AM, Christian Meunier <[email protected]> wrote:
> Thanks Vincent for the heads up ! > > Any chance Marius or some other dev can have a look the XSS in wiki Syntax PR > ? > > https://github.com/xwiki/xwiki-rendering/pull/6#discussion_r5632662 > > I have tested it, beside the bug I have spotted, it worked just fine for me. > > Would be nice to include this one in 5.2 because right now, it just too > trivial to do XSS injection with the wiki syntax.. It seems too large a patch to make it in 5.2 now (we're reaching RC1) but it could go in 5.3M1. Thanks -Vincent > Thanks ! > > -- > Chris > > On 9/17/2013 14:43, Vincent Massol wrote: >> Hi Christian, >> >> On Sep 17, 2013, at 8:16 AM, Christian Meunier >> <[email protected]> wrote: >> >>> Hi Thomas, >>> >>> Hope you had good holidays ! >>> >>> I was wondering if you could give me an update on the work you started for >>> the html macro ? >>> Btw, have you noticed my comment on >>> https://github.com/xwiki/xwiki-rendering/pull/6#discussion_r5632662 ? >>> >>> Also, question for the devs, I see that the 5.2 is near the corner and yet >>> many of Thomas's security PRs are still pending.. >> Several have been applied (by Marius). >> >>> Shouldnt those security PRs be a priority ? Is there a roadmap/target for >>> those ? >> FYI ThomasD was working lately on signed scripts which will fix a lot of >> current potential security issues. This is a big piece of work. I said "was" >> because Thomas is now going abroad in the context of his school studies and >> will probably be less available. The good news is that Denis Gervalle has >> agreed to carry on his work and more generally to focus on security issues >> for the coming 3 months at least. >> >> So you should see progress in this area :) >> >> Thanks >> -Vincent >> >>> Thanks ! >>> >>> -- >>> Chris >>> >>> On 8/10/2013 05:10, Thomas Delafosse wrote: >>>> Hello Christian, >>>> >>>> It's nice to see that you are interested in XWiki security :) >>>> As for the secure html macro I've been working on, there's no PR made for >>>> it (the issue was that it was breaking a lot of panels that were using >>>> unsafe html code thanks to this macro), but I would try to create a branch >>>> on github with the corresponding code when I have time. To sum up what I've >>>> done, I just used a library called JSoup which allows to easily deal with >>>> whitelists (see http://jsoup.org/apidocs/org/jsoup/safety/Whitelist.html >>>> for >>>> example). And as I wanted to let users with Programming Rights use the HTML >>>> macro without restriction, I had to put my "secure" html macro in >>>> xwiki-platform instead of xwiki-rendering, so that my whitelist check is >>>> not used against these users. >>>> BTW let me know if there any issue you get with my other XSS PR and don't >>>> hesitate to contact me if you have questions or suggestions about what I've >>>> done there (or for other security matters !). As Vincent said, I'm in >>>> holidays right now, so I could be slow to answer, but I won't forget you >>>> ;). >>>> >>>> Thanks ! >>>> >>>> Thomas _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
