From: joey Date: Fri, 5 May 2006 05:41:11 +0000 (+0000) Subject: * Removed --sanitize and --no-sanitize, replaced with --plugin htmlscrubber X-Git-Tag: 1.1~8 X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/commitdiff_plain/6652de5e1abcaac3ee2f4bf17e5a4b847fcadb0d?hp=157df8591f03ade7504ad732446f125ae8609b05 * Removed --sanitize and --no-sanitize, replaced with --plugin htmlscrubber and --disable-plugin htmlscrubber. --- diff --git a/IkiWiki.pm b/IkiWiki.pm index 6a62d9f0e..443a88044 100644 --- a/IkiWiki.pm +++ b/IkiWiki.pm @@ -26,7 +26,6 @@ sub defaultconfig () { #{{{ diffurl => '', anonok => 0, rss => 0, - sanitize => 1, rebuild => 0, refresh => 0, getctime => 0, @@ -41,7 +40,7 @@ sub defaultconfig () { #{{{ setup => undef, adminuser => undef, adminemail => undef, - plugin => [qw{inline}], + plugin => [qw{inline htmlscrubber}], headercontent => '', } #}}} diff --git a/IkiWiki/Plugin/htmlscrubber.pm b/IkiWiki/Plugin/htmlscrubber.pm new file mode 100644 index 000000000..41cf6c991 --- /dev/null +++ b/IkiWiki/Plugin/htmlscrubber.pm @@ -0,0 +1,51 @@ +#!/usr/bin/perl +package IkiWiki::Plugin::htmlscrubber; + +use warnings; +use strict; +use IkiWiki; + +sub import { #{{{ + IkiWiki::hook(type => "sanitize", id => "htmlscrubber", + call => \&sanitize); +} # }}} + +sub sanitize ($) { #{{{ + return scrubber()->scrub(shift); +} # }}} + +my $_scrubber; +sub scrubber { #{{{ + return $_scrubber if defined $_scrubber; + + eval q{use HTML::Scrubber}; + # Lists based on http://feedparser.org/docs/html-sanitization.html + $_scrubber = HTML::Scrubber->new( + allow => [qw{ + a abbr acronym address area b big blockquote br + button caption center cite code col colgroup dd del + dfn dir div dl dt em fieldset font form h1 h2 h3 h4 + h5 h6 hr i img input ins kbd label legend li map + menu ol optgroup option p pre q s samp select small + span strike strong sub sup table tbody td textarea + tfoot th thead tr tt u ul var + }], + default => [undef, { map { $_ => 1 } qw{ + abbr accept accept-charset accesskey action + align alt axis border cellpadding cellspacing + char charoff charset checked cite class + clear cols colspan color compact coords + datetime dir disabled enctype for frame + headers height href hreflang hspace id ismap + label lang longdesc maxlength media method + multiple name nohref noshade nowrap prompt + readonly rel rev rows rowspan rules scope + selected shape size span src start summary + tabindex target title type usemap valign + value vspace width + }}], + ); + return $_scrubber; +} # }}} + +1 diff --git a/IkiWiki/Plugin/skeleton.pm b/IkiWiki/Plugin/skeleton.pm index d5a2125e5..346dfa5ff 100644 --- a/IkiWiki/Plugin/skeleton.pm +++ b/IkiWiki/Plugin/skeleton.pm @@ -15,6 +15,8 @@ sub import { #{{{ call => \&preprocess); IkiWiki::hook(type => "filter", id => "skeleton", call => \&filter); + IkiWiki::hook(type => "sanitize", id => "skeleton", + call => \&sanitize); IkiWiki::hook(type => "delete", id => "skeleton", call => \&delete); IkiWiki::hook(type => "change", id => "skeleton", @@ -33,11 +35,19 @@ sub preprocess (@) { #{{{ return "skeleton plugin result"; } # }}} -sub filter ($) { #{{{ - my $content=shift; +sub filter (@) { #{{{ + my %params=@_; IkiWiki::debug("skeleton plugin running as filter"); + return $params{content}; +} # }}} + +sub sanitize ($) { #{{{ + my $content=shift; + + IkiWiki::debug("skeleton plugin running as a sanitizer"); + return $content; } # }}} diff --git a/IkiWiki/Render.pm b/IkiWiki/Render.pm index 262e0ec29..9feaa6da7 100644 --- a/IkiWiki/Render.pm +++ b/IkiWiki/Render.pm @@ -19,40 +19,6 @@ sub linkify ($$) { #{{{ return $content; } #}}} -my $_scrubber; -sub scrubber { #{{{ - return $_scrubber if defined $_scrubber; - - eval q{use HTML::Scrubber}; - # Lists based on http://feedparser.org/docs/html-sanitization.html - $_scrubber = HTML::Scrubber->new( - allow => [qw{ - a abbr acronym address area b big blockquote br - button caption center cite code col colgroup dd del - dfn dir div dl dt em fieldset font form h1 h2 h3 h4 - h5 h6 hr i img input ins kbd label legend li map - menu ol optgroup option p pre q s samp select small - span strike strong sub sup table tbody td textarea - tfoot th thead tr tt u ul var - }], - default => [undef, { map { $_ => 1 } qw{ - abbr accept accept-charset accesskey action - align alt axis border cellpadding cellspacing - char charoff charset checked cite class - clear cols colspan color compact coords - datetime dir disabled enctype for frame - headers height href hreflang hspace id ismap - label lang longdesc maxlength media method - multiple name nohref noshade nowrap prompt - readonly rel rev rows rowspan rules scope - selected shape size span src start summary - tabindex target title type usemap valign - value vspace width - }}], - ); - return $_scrubber; -} # }}} - sub htmlize ($$) { #{{{ my $type=shift; my $content=shift; @@ -71,8 +37,10 @@ sub htmlize ($$) { #{{{ error("htmlization of $type not supported"); } - if ($config{sanitize}) { - $content=scrubber()->scrub($content); + if (exists $hooks{sanitize}) { + foreach my $id (keys %{$hooks{sanitize}}) { + $content=$hooks{sanitize}{$id}{call}->($content); + } } return $content; diff --git a/debian/NEWS b/debian/NEWS index 130d1bd57..5bb107519 100644 --- a/debian/NEWS +++ b/debian/NEWS @@ -9,6 +9,11 @@ ikiwiki (1.1) unstable; urgency=low search plugin, by passing --plugin=search or through the plugin setting in the config file. + The --sanitize and --no-sanitize switches are also gone, replaced with the + htmlscrubber plugin. This plugin is enabled by default, to disable it, + use --disable-plugin=htmlscrubber, or modify the plugin setting in the + config file. + You will need to rebuild your wiki when upgrading to this version. If you listed your wiki in /etc/ikiwiki/wikilist this will be done automatically. diff --git a/debian/changelog b/debian/changelog index bd82cd48b..a7887e17f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -43,8 +43,10 @@ ikiwiki (1.1) UNRELEASED; urgency=low * Copied in some smileys from Moin Moin. * Allow links of the form [[some page|page]], with whitespace in the link text. + * Removed --sanitize and --no-sanitize, replaced with --plugin htmlscrubber + and --disable-plugin htmlscrubber. - -- Joey Hess Fri, 5 May 2006 00:14:53 -0400 + -- Joey Hess Fri, 5 May 2006 01:28:19 -0400 ikiwiki (1.0) unstable; urgency=low diff --git a/doc/htmlsanitization.mdwn b/doc/htmlsanitization.mdwn deleted file mode 100644 index 2c814e8e4..000000000 --- a/doc/htmlsanitization.mdwn +++ /dev/null @@ -1,30 +0,0 @@ -When run with the `--sanitize` switch, which is turned on by default (see -[[usage]]), ikiwiki sanitizes the html on pages it renders to avoid XSS -attacks and the like. - -ikiwiki excludes all html tags and attributes except for those that are -whitelisted using the same lists as used by Mark Pilgrim's Universal Feed -Parser, documented at . -Notably it strips `style`, `link`, and the `style` attribute. - -ikiwiki uses the HTML::Scrubber perl module to perform its html -sanitisation, and this perl module also deals with various entity encoding -tricks. - -While I believe that this makes ikiwiki as resistant to malicious html -content as anything else on the web, I cannot guarantee that it will -actually protect every user of every browser from every browser security -hole, badly designed feature, etc. I can provide NO WARRANTY, like it says -in ikiwiki's [GPL](GPL) license. - -The web's security model is *fundamentally broken*; ikiwiki's html -sanitisation is only a patch on the underlying gaping hole that is your web -browser. - ----- - -Some examples of embedded javascript that won't be let through. - -* test -* test -* test diff --git a/doc/ikiwiki.setup b/doc/ikiwiki.setup index 3e0e1599e..17d3be7d7 100644 --- a/doc/ikiwiki.setup +++ b/doc/ikiwiki.setup @@ -48,8 +48,7 @@ use IkiWiki::Setup::Standard { #anonok => 1, # Generate rss feeds for pages? rss => 1, - # Sanitize html? - sanitize => 1, # To change the enabled plugins, edit this list - #plugin => [qw{pagecount inline brokenlinks hyperestraier smiley}], + #plugin => [qw{pagecount inline brokenlinks hyperestraier smiley + # htmlscrubber}], } diff --git a/doc/news/sanitization.mdwn b/doc/news/sanitization.mdwn index 6ce254157..419d589c9 100644 --- a/doc/news/sanitization.mdwn +++ b/doc/news/sanitization.mdwn @@ -1,7 +1,8 @@ -ikiwiki's main outstanding security hole, lack of [[HtmlSanitization]] has -now been addressed. ikiwiki now sanitizes html by default. +ikiwiki's main outstanding security hole, lack of html sanitization, has +now been addressed. ikiwiki now sanitizes html by default, using the +[[plugins/htmlscrubber]] plugin. If only trusted parties can edit your wiki's content, then you might want to turn this sanitization back off to allow use of potentially dangerous -tags. To do so, pass --no-sanitize or set "sanitize => 0," in your -[[ikiwiki.setup]]. +tags. To do so, pass --disable-plugin=sanitize or edit the plugins +configuration in your [[ikiwiki.setup]]. diff --git a/doc/plugins.mdwn b/doc/plugins.mdwn index 07c236057..e2f0492af 100644 --- a/doc/plugins.mdwn +++ b/doc/plugins.mdwn @@ -1,9 +1,9 @@ There's documentation if you want to [[write]] your own plugins, or you can install and use plugins contributed by others. The ikiwiki package includes some standard plugins that are installed and -by default. These include [[inline]], [[pagecount]], [[brokenlinks]], -[[search]], [[smiley]], and even [[haiku]]. -Of these, [[inline]] is enabled by default. +by default. These include [[inline]], [[htmlscrubber]], [[pagecount]], +[[brokenlinks]], [[search]], [[smiley]], and even [[haiku]]. +Of these, [[inline]] and [[htmlscrubber]] are enabled by default. To enable other plugins, use the `--plugin` switch described in [[usage]], or the equivalent line in [[ikiwiki.setup]]. diff --git a/doc/plugins/htmlscrubber.mdwn b/doc/plugins/htmlscrubber.mdwn new file mode 100644 index 000000000..cf0d8e02a --- /dev/null +++ b/doc/plugins/htmlscrubber.mdwn @@ -0,0 +1,30 @@ +This plugin is enabled by default. It sanitizes the html on pages it renders +to avoid XSS attacks and the like. + +It excludes all html tags and attributes except for those that are +whitelisted using the same lists as used by Mark Pilgrim's Universal Feed +Parser, documented at . +Notably it strips `style`, `link`, and the `style` attribute. + +It uses the HTML::Scrubber perl module to perform its html +sanitisation, and this perl module also deals with various entity encoding +tricks. + +While I believe that this makes ikiwiki as resistant to malicious html +content as anything else on the web, I cannot guarantee that it will +actually protect every user of every browser from every browser security +hole, badly designed feature, etc. I can provide NO WARRANTY, like it says +in ikiwiki's [GPL](GPL) license. + +The web's security model is *fundamentally broken*; ikiwiki's html +sanitisation is only a patch on the underlying gaping hole that is your web +browser. + +---- + +Some examples of embedded javascript that won't be let through when this +plugin is active: + +* test +* test +* test diff --git a/doc/plugins/write.mdwn b/doc/plugins/write.mdwn index ae2f8b904..6c013cd4a 100644 --- a/doc/plugins/write.mdwn +++ b/doc/plugins/write.mdwn @@ -49,7 +49,7 @@ return the error message as the output of the plugin. ### Html issues -Note that if [[HTMLSanitization]] is enabled, html in +Note that if the [[htmlscrubber]] is enabled, html in [[PreProcessorDirective]] output is sanitised, which may limit what your plugin can do. Also, the rest of the page content is not in html format at preprocessor time. Text output by a preprocessor directive will be passed @@ -75,7 +75,16 @@ IkiWiki::error if something isn't configured right. Runs on the raw source of a page, before anything else touches it, and can make arbitrary changes. The function is passed named parameters `page` and -`content` should return the filtered content. +`content` and should return the filtered content. + +### sanitize + + IkiWiki::hook(type => "filter", id => "foo", call => \&sanitize); + +Use this to implement html sanitization or anything else that needs to +modify the content of a page after it has been fully converted to html. +The function is passed the page content and should return the sanitized +content. ### delete diff --git a/doc/security.mdwn b/doc/security.mdwn index 77552b1b2..73d98a3ae 100644 --- a/doc/security.mdwn +++ b/doc/security.mdwn @@ -215,4 +215,5 @@ pages from source with some other extension. ## XSS attacks in page content -ikiwiki supports [[HtmlSanitization]], though it can be turned off. +ikiwiki supports protecting users from their own broken browsers via the +[[plugins/htmlscrubber]] plugin, which is enabled by default. diff --git a/doc/todo/plugin.mdwn b/doc/todo/plugin.mdwn index 84c3d68f5..0b90b7cae 100644 --- a/doc/todo/plugin.mdwn +++ b/doc/todo/plugin.mdwn @@ -25,8 +25,6 @@ Suggestions of ideas for plugins: or something. It's possible that this is a special case of backlinks and is best implemented by making backlinks a plugin somehow. --[[Joey]] -* Splitting out html sanitisation should be easy to do. - * interwiki links All the kinds of plugins that blogging software has is also a possibility: diff --git a/doc/usage.mdwn b/doc/usage.mdwn index eac72cdc7..3a46dade8 100644 --- a/doc/usage.mdwn +++ b/doc/usage.mdwn @@ -162,16 +162,16 @@ These options configure the wiki. Currently allows locking of any page, other powers may be added later. May be specified multiple times for multiple admins. -* --sanitize - - Enable [[HtmlSanitization]] of wiki content. On by default, disable with - --no-sanitize. - * --plugin name Enables the use of the specified plugin in the wiki. See [[plugins]] for details. Note that plugin names are case sensative. +* --disable-plugin name + + Disables use of a plugin. For example "--disable-plugin htmlscrubber" + to do away with html sanitization. + * --verbose Be vebose about what is being done. diff --git a/ikiwiki b/ikiwiki index 4801c5f92..e911eaff4 100755 --- a/ikiwiki +++ b/ikiwiki @@ -29,7 +29,6 @@ sub getconfig () { #{{{ "rss!" => \$config{rss}, "cgi!" => \$config{cgi}, "notify!" => \$config{notify}, - "sanitize!" => \$config{sanitize}, "url=s" => \$config{url}, "cgiurl=s" => \$config{cgiurl}, "historyurl=s" => \$config{historyurl}, @@ -54,7 +53,10 @@ sub getconfig () { #{{{ }, "plugin=s@" => sub { push @{$config{plugin}}, $_[1]; - } + }, + "disable-plugin=s@" => sub { + $config{plugin}=[grep { $_ ne $_[1] } @{$config{plugin}} ]; + }, ) || usage(); if (! $config{setup}) {