https://bugzilla.wikimedia.org/show_bug.cgi?id=71624
--- Comment #5 from Bryan Davis <[email protected]> --- (In reply to Chris Steipp from comment #2) > Some general comments so far: > > * The inclusion of <script> tags in the markdown seems really problematic, > and I think needs a better design > * It would help if we had a strict content security policy, so that <script> > tags wouldn't be rendered. From an initial look, I think you could get away > with just setting "Content-Security-Policy: default-src 'self'; img-src > 'self' data:" and everything would still work. Easy add. I'll post a patch. > * You should also set an "X-Frame-Options: DENY" header Ok. > * Cookies should be set with "httponly" flag. If someone finds an xss, that > will keep the session cookie from being (easily) stolen. Another easy one. > * You should set the charset to UTF-8, so browsers don't have to guess (and > attacks in utf7 won't work). So set a "Content-Type:text/html; > charset=UTF-8" header. Ok. I am setting <meta charset="utf-8"/> in my base template, but that isn't seen until the user agent processes the content. > * Password.php - don't fall back to the "high entropy seed", just throw an > exception if the other methods aren't available. It's ok for salts, but for > generating random passwords, it's probably bruteforceable. Patch incoming. > Due to the number of libraries this pulls in, I have a long way to go in the > review, but the markdown is going to take some time. I've posted patches to remove markdown support and instead use Parsoid to provide rich markup support. I will cherry-pick these to the testing server soon. -- You are receiving this mail because: You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
