https://bugzilla.wikimedia.org/show_bug.cgi?id=71624
--- Comment #2 from Chris Steipp <[email protected]> --- Some general comments so far: * The inclusion of <script> tags in the markdown seems really problematic, and I think needs a better design * It would help if we had a strict content security policy, so that <script> tags wouldn't be rendered. From an initial look, I think you could get away with just setting "Content-Security-Policy: default-src 'self'; img-src 'self' data:" and everything would still work. * You should also set an "X-Frame-Options: DENY" header * Cookies should be set with "httponly" flag. If someone finds an xss, that will keep the session cookie from being (easily) stolen. * You should set the charset to UTF-8, so browsers don't have to guess (and attacks in utf7 won't work). So set a "Content-Type:text/html; charset=UTF-8" header. * Password.php - don't fall back to the "high entropy seed", just throw an exception if the other methods aren't available. It's ok for salts, but for generating random passwords, it's probably bruteforceable. Due to the number of libraries this pulls in, I have a long way to go in the review, but the markdown is going to take some time. -- You are receiving this mail because: You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
