Neil Harris wrote: > Daniel Kinzler wrote: > >> David Gerard schrieb: >> >> >>> 2009/6/4 Gregory Maxwell <[email protected]>: >>> >>> >>> >>>> Restrict site-wide JS and raw HTML injection to a smaller subset of >>>> users who have been specifically schooled in these issues. >>>> >>>> >>> Is it feasible to allow admins to use raw HTML as appropriate but not >>> raw JS? Being able to fix MediaWiki: space messages with raw HTML is >>> way too useful on the occasions where it's useful. >>> >>> >>> >> Possible yes, sensible no. Because if you can edit raw html, you can inject >> javascript. >> >> -- daniel >> >> >> > Not if you sanitize the HTML after the fact: just cleaning out <script> > tags and elements from the HTML stream should do the job. > > After this has been done to the user-generated content, the desired > locked-down script code can then be inserted at the final stages of page > generation. > > -- Neil > >
Come to think of it, you could also allow the carefully vetted loading of scripts from a very limited whitelist of Wikimedia-hosted and controlled domains and paths, when performing that sanitization. Inline scripts remain a bad idea: there are just too many ways to obfuscate them and/or inject data into them to have any practical prospect of limiting them to safe features without heroic efforts. However; writing a javascript sanitizer that restricted the user to a "safe" subset of the language, by first parsing and then resynthesizing the code using formal methods for validation, in a way similar to the current solution for TeX, would be an interesting project! -- Neil _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
