diff options
Diffstat (limited to 'doc/plugins/htmlscrubber.mdwn')
-rw-r--r-- | doc/plugins/htmlscrubber.mdwn | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/doc/plugins/htmlscrubber.mdwn b/doc/plugins/htmlscrubber.mdwn new file mode 100644 index 000000000..08c81212b --- /dev/null +++ b/doc/plugins/htmlscrubber.mdwn @@ -0,0 +1,51 @@ +[[!template id=plugin name=htmlscrubber core=1 author="[[Joey]]"]] +[[!tag type/html]] + +This plugin is enabled by default. It sanitizes the html on pages it renders +to avoid XSS attacks and the like. + +It excludes all html tags and attributes except for those that are +whitelisted using the same lists as used by Mark Pilgrim's Universal Feed +Parser, documented at +<http://web.archive.org/web/20110726052341/http://feedparser.org/docs/html-sanitization.html>. +Notably it strips `style` and `link` tags, and the `style` attribute. + +Any attributes that could be used to specify a URL are checked to ensure +that they are known, safe schemes. It will also block embedded javascript +in such URLs. + +It uses the [[!cpan HTML::Scrubber]] perl module to perform its html +sanitisation, and this perl module also deals with various entity encoding +tricks. + +While I believe that this makes ikiwiki as resistant to malicious html +content as anything else on the web, I cannot guarantee that it will +actually protect every user of every browser from every browser security +hole, badly designed feature, etc. I can provide NO WARRANTY, like it says +in ikiwiki's [[GPL]] license. + +The web's security model is *fundamentally broken*; ikiwiki's html +sanitisation is only a patch on the underlying gaping hole that is your web +browser. + +Note that enabling or disabling the htmlscrubber plugin also affects some +other HTML-related functionality, such as whether [[meta]] allows +potentially unsafe HTML tags. + +The `htmlscrubber_skip` configuration setting can be used to skip scrubbing +of some pages. Set it to a [[ikiwiki/PageSpec]], such as +`posts/* and !comment(*) and !*/Discussion`, and pages matching that can have +all the evil CSS, JavsScript, and unsafe html elements you like. One safe +way to use this is to use [[lockedit]] to lock those pages, so only admins +can edit them. + +---- + +Some examples of embedded javascript that won't be let through when this +plugin is active: + +* script tag test <script>window.location='http://example.org';</script> +* <span style="background: url(javascript:window.location='http://example.org/')">CSS script test</span> +* <span style="any: expression(window.location='http://example.org/')">entity-encoded CSS script test</span> +* <span style="any: expression(window.location='http://example.org/')">entity-encoded CSS script test</span> +* <a href="javascript:alert('foo')">click me</a> |