return $content;
} #}}}
+my $_scrubber;
+sub scrubber { #{{{
+ return $_scrubber if defined $_scrubber;
+
+ eval q{use HTML::Scrubber};
+ # Lists based on http://feedparser.org/docs/html-sanitization.html
+ $_scrubber = HTML::Scrubber->new(
+ allow => [qw{
+ a abbr acronym address area b big blockquote br
+ button caption center cite code col colgroup dd del
+ dfn dir div dl dt em fieldset font form h1 h2 h3 h4
+ h5 h6 hr i img input ins kbd label legend li map
+ menu ol optgroup option p pre q s samp select small
+ span strike strong sub sup table tbody td textarea
+ tfoot th thead tr tt u ul var
+ }],
+ default => [undef, { map { $_ => 1 } qw{
+ abbr accept accept-charset accesskey action
+ align alt axis border cellpadding cellspacing
+ char charoff charset checked cite class
+ clear cols colspan color compact coords
+ datetime dir disabled enctype for frame
+ headers height href hreflang hspace id ismap
+ label lang longdesc maxlength media method
+ multiple name nohref noshade nowrap prompt
+ readonly rel rev rows rowspan rules scope
+ selected shape size span src start summary
+ tabindex target title type usemap valign
+ value vspace width
+ }}],
+ );
+ return $_scrubber;
+} # }}}
+
sub htmlize ($$) { #{{{
my $type=shift;
my $content=shift;
}
if ($type eq '.mdwn') {
- return Markdown::Markdown($content);
+ $content=Markdown::Markdown($content);
}
else {
error("htmlization of $type not supported");
}
+
+ if ($config{sanitize}) {
+ $content=scrubber()->scrub($content);
+ }
+
+ return $content;
} #}}}
sub backlinks ($) { #{{{
Source: ikiwiki
Section: web
Priority: optional
-Build-Depends: debhelper (>= 5), dpkg-dev (>= 1.9.0), markdown, libhtml-template-perl
+Build-Depends: debhelper (>= 5), dpkg-dev (>= 1.9.0), markdown, libhtml-template-perl, libhtml-scrubber-perl
Maintainer: Joey Hess <joeyh@debian.org>
Standards-Version: 3.6.2
Package: ikiwiki
Architecture: all
-Depends: ${perl:Depends}, markdown, libtimedate-perl, libhtml-template-perl, libcgi-formbuilder-perl (>= 3.02.02), libtime-duration-perl, libcgi-session-perl, libmail-sendmail-perl, gcc | c-compiler
+Depends: ${perl:Depends}, markdown, libtimedate-perl, libhtml-template-perl, libhtml-scrubber-perl, libcgi-formbuilder-perl (>= 3.02.02), libtime-duration-perl, libcgi-session-perl, libmail-sendmail-perl, gcc | c-compiler
Recommends: subversion, hyperestraier
Suggests: viewcvs
Description: a wiki compiler
--- /dev/null
+When run with the --sanitize switch, which is turned on by default (see
+[[usage]], ikiwiki sanitizes the html on pages it renders to avoid XSS
+attacks and the like.
+
+ikiwiki excludes all html tags and attributes except for those that are
+whitelisted using the same lists as used by Mark Pilgrim's Universal Feed
+Parser, documented at <http://feedparser.org/docs/html-sanitization.html>.
+Notably it strips `style`, `link`, and the `style` attribute.
+
+ikiwiki uses the HTML::Scrubber perl module to perform its html
+sanitisation, and this perl module also deals with various entity encoding
+tricks.
+
+While I beleive that this makes ikiwiki as resistant to malicious html
+content as anything else on the web, I cannot guarantee that it will
+actually protect every user of every browser from every browser security
+hole, badly designed feature, etc. I can provide NO WARRANTY, like it says
+in ikiwiki's [[GPL]] license.
+
+The web's security model is *fundamntally broken*; ikiwiki's HTML
+sanitisation is only a patch on the underlying gaping hole that is your web
+browser.
+
+----
+
+Some examples of embedded javascript that won't be let through.
+
+<span style="background: url(javascript:window.location='http://example.org/')">test</span>
+<span style="any: expression(window.location='http://example.org/')">test</span>
+<span style="any: expression(window.location='http://example.org/')">test</span>
rss => 1,
# Use the Hyper Estraier search engine?
#hyperestraier => 1,
+ # Sanitize html?
+ sanitize => 1,
}
--- /dev/null
+ikiwiki's main outstanding security hole, lack of [[HtmlSanitization]] has
+now been addressed. ikiwiki now sanitizes html by default.
+
+If only trusted parties can edit your wiki's content, then you might want
+to turn this sanitization back off to allow use of potentially dangerous
+tags. To do so, pass --no-sanitize or set "sanitize => 0," in your
+[[ikiwiki.setup]].
# Probable holes
-## html attacks
+## XSS holes in CGI output
-ikiwiki does not attempt to do any santization of the html on the wiki.
-[[MarkDown]] allows embedding of arbitrary html into a markdown document. If
-you let anyone else edit files on the wiki, then anyone can have fun exploiting
-the web browser bug of the day. This type of attack is typically referred
-to as an XSS attack ([google](http://www.google.com/search?q=xss+attack)).
+ikiwiki has not yet been audited to ensure that all cgi script output is
+sanitised to prevent XSS attacks.
## image files etc attacks
If it enounters a file type it does not understand, ikiwiki just copies it
into place. So if you let users add any kind of file they like, they can
-upload images, movies, windows executables, css files, etc. If these files
-exploit security holes in the browser of someone who's viewing the wiki,
-that can be a security problem.
+upload images, movies, windows executables, css files, etc (though not html
+files). If these files exploit security holes in the browser of someone
+who's viewing the wiki, that can be a security problem.
Of course nobody else seems to worry about this in other wikis, so should we?
rendering the wrong thing. This is not currently possible, but must be kept
in mind in the future when for example adding support for generating html
pages from source with some other extension.
+
+## XSS attacks in page content
+
+ikiwiki supports [[HtmlSanitistion]], though it can be turned off.
Ikiwiki requires [[MarkDown]] be installed, and also uses the following
perl modules: `CGI::Session` `CGI::FormBuilder` (version 3.02.02 or
newer) `HTML::Template` `Mail::SendMail` `Time::Duration` `Date::Parse`
- (libtimedate-perl)
+ (libtimedate-perl), `HTML::Scrubber`
2. Create the subversion repository for your wiki.
+++ /dev/null
-The following need to be resolved before ikiwiki 1.0 can be released:
-
-* HTML XSS [[security]] issues. Do I need to find or write a html sanitiser and bolt it onto the wiki, or can this stupid issue be ignored? It's really the browser's fault, and sanitising out html that is exploitable in all the buggy browsers out there is a neverending treadmill.
-
-That's all!
\ No newline at end of file
--- /dev/null
+The following need to be resolved before ikiwiki 1.0 can be released:
+
+* HTML XSS [[security]] issues. Do I need to find or write a html sanitiser and bolt it onto the wiki, or can this stupid issue be ignored? It's really the browser's fault, and sanitising out html that is exploitable in all the buggy browsers out there is a neverending treadmill.
+
+That's all!
\ No newline at end of file
Currently allows locking of any page, other powers may be added later.
May be specified multiple times for multiple admins.
+* --sanitize
+
+ Enable [[HtmlSanitization]] of wiki content. On by default, disable with
+ --no-sanitize.
+
* --hyperestraier
Enables use of the [[HyperEstraier]] search engine for full test page
diffurl => '',
anonok => 0,
rss => 0,
+ sanitize => 1,
rebuild => 0,
refresh => 0,
getctime => 0,
"rss!" => \$config{rss},
"cgi!" => \$config{cgi},
"notify!" => \$config{notify},
+ "sanitize!" => \$config{sanitize},
"url=s" => \$config{url},
"cgiurl=s" => \$config{cgiurl},
"historyurl=s" => \$config{historyurl},