Hello Christian,
Sorry to have been so long before answering ! Here's at least a
little patch that you can easily apply to make HTML macro secure. Note that
a lot of HTML macros that are in wikis default pages won't work anymore !
Note also that you need the JSOUP package (http://jsoup.org/download) in
your wiki libs to make it work, as this is the library I used for the
verification of the html macro content. For more liberty, you can instead
try to make a custom verification such as the one I made for the wiki
syntax, it's up to you :). To finish, note also that you should skip the
tests when building the new xwiki-rendering-macro-html package, as I didn't
adapt them (these test contains quite a lot of tags and attributes that
should be forbidden for security reasons).
As I probably said earlier, a cleaner way to do that is to put the html
macro in the platform code, and to add a check for programming rights. I
got something like that somewhere, but I should rework it a bit when I got
some time to do it. But at least this patch should let see how this is
supposed to work !
Of course if you have any questions, feel free to ask them, and I would try
to reply a bit faster this time ;)Hope this helps ! Thomas On Tue, Sep 17, 2013 at 11:34 AM, Vincent Massol <[email protected]> wrote: > > On Sep 17, 2013, at 10:26 AM, Christian Meunier < > [email protected]> wrote: > > > Thanks Vincent for the heads up ! > > > > Any chance Marius or some other dev can have a look the XSS in wiki > Syntax PR ? > > > https://github.com/xwiki/xwiki-rendering/pull/6#discussion_r5632662 > > > > I have tested it, beside the bug I have spotted, it worked just fine for > me. > > > > Would be nice to include this one in 5.2 because right now, it just too > trivial to do XSS injection with the wiki syntax.. > > It seems too large a patch to make it in 5.2 now (we're reaching RC1) but > it could go in 5.3M1. > > Thanks > -Vincent > > > Thanks ! > > > > -- > > Chris > > > > On 9/17/2013 14:43, Vincent Massol wrote: > >> Hi Christian, > >> > >> On Sep 17, 2013, at 8:16 AM, Christian Meunier < > [email protected]> wrote: > >> > >>> Hi Thomas, > >>> > >>> Hope you had good holidays ! > >>> > >>> I was wondering if you could give me an update on the work you started > for the html macro ? > >>> Btw, have you noticed my comment on > https://github.com/xwiki/xwiki-rendering/pull/6#discussion_r5632662 ? > >>> > >>> Also, question for the devs, I see that the 5.2 is near the corner and > yet many of Thomas's security PRs are still pending.. > >> Several have been applied (by Marius). > >> > >>> Shouldnt those security PRs be a priority ? Is there a roadmap/target > for those ? > >> FYI ThomasD was working lately on signed scripts which will fix a lot > of current potential security issues. This is a big piece of work. I said > "was" because Thomas is now going abroad in the context of his school > studies and will probably be less available. The good news is that Denis > Gervalle has agreed to carry on his work and more generally to focus on > security issues for the coming 3 months at least. > >> > >> So you should see progress in this area :) > >> > >> Thanks > >> -Vincent > >> > >>> Thanks ! > >>> > >>> -- > >>> Chris > >>> > >>> On 8/10/2013 05:10, Thomas Delafosse wrote: > >>>> Hello Christian, > >>>> > >>>> It's nice to see that you are interested in XWiki security :) > >>>> As for the secure html macro I've been working on, there's no PR made > for > >>>> it (the issue was that it was breaking a lot of panels that were using > >>>> unsafe html code thanks to this macro), but I would try to create a > branch > >>>> on github with the corresponding code when I have time. To sum up > what I've > >>>> done, I just used a library called JSoup which allows to easily deal > with > >>>> whitelists (see > http://jsoup.org/apidocs/org/jsoup/safety/Whitelist.html for > >>>> example). And as I wanted to let users with Programming Rights use > the HTML > >>>> macro without restriction, I had to put my "secure" html macro in > >>>> xwiki-platform instead of xwiki-rendering, so that my whitelist check > is > >>>> not used against these users. > >>>> BTW let me know if there any issue you get with my other XSS PR and > don't > >>>> hesitate to contact me if you have questions or suggestions about > what I've > >>>> done there (or for other security matters !). As Vincent said, I'm in > >>>> holidays right now, so I could be slow to answer, but I won't forget > you ;). > >>>> > >>>> Thanks ! > >>>> > >>>> Thomas > _______________________________________________ > devs mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/devs >
secureHTMLMacro.patch
Description: Binary data
_______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
