<!-- Do not edit this topic - it is generated from a subversion repository, and your edits will be lost (unless you check your changes in, of course) --> ---+!! !SafeWikiPlugin <!-- One line description, required for extensions repository catalog. * Set SHORTDESCRIPTION = Secure your Foswiki so it can't be attacked using cross-scripting (XSS) --> <img style="float:right" src="%ATTACHURL%/safewiki.png" /> %SHORTDESCRIPTION% %TOC% ---++ What it does This plugin helps prevent evil people from using your wiki to mount [[http://en.wikipedia.org/wiki/Cross-site_scripting][cross-scripting]] attacks. It is intended to: * defuse any raw HTML entered in topics by an attacker, * disable script in URL parameters Cross-scripting attacks don't just affect public wiki sites. For example, a footpad could mail one of your users with a crafted URL that, when clicked on, compromises your entire corporate intranet. *All* wikis, public or private, need protection against these attacks. The plugin works by filtering the HTML output by Foswiki as late as possible in the rendering process. It removes anything dodgy from the HTML, such as inline script tags, Javascript event handlers containing complex script, and URIs that refer to objects outside a controlled range of sites. Whenever anything is filtered, a report is written to the Foswiki warning log. The plugin filters all HTML it thinks is dodgy from the output. There is a chance that one or more of the extensions you are using works by embedding naughty HTML. If you find that !SafeWikiPlugin kills one or more of your other extensions, then you are advised to seek fixes from the authors of those extensions. !SafeWikiPlugin also has a 'clean html' switch that can make it report an error if malformed HTML is generated by Foswiki. It is unavoidable that there will be a performance penalty when using the plugin. The size of this penalty depends on your exact configuration, but benchmarks suggest that on average it is less than 1% of the total rendering time. ---++ WARNING This software is provided in the hope that it may be useful. The authors make no warranty, implied or otherwise, about the suitability of this software for safety or security purposes. The authors shall not in any case be liable for special, incidental, consequential, indirect or other similar damages arising from the use of this software. If in _any_ doubt, do not use it. ---++ Gory Details ---+++ Javascript The values of all Javascript on* handlers (such as =onload=, =onmouseover=, =onblur= etc) are automatically compared against a list of filter-in regular expressions, one of which must match, or the handler will be replaced by a disarming string. By default only simple function calls with atomic parameters are permitted in on* handlers. For example: =javascript: fn(param1, "param2")= is permitted, but =javascript: alert(window.open("http://evilsite.cn"))= is not. Inline scripts (SCRIPT tags without a =src= parameter) are always filtered out (removed). URIs used in certain parameters are compared against a whitelist of filter-in regular expressions, one of which must match or the URI will be replaced with a disarming string. ---+++ URIs By default the following URI parameters are checked against the whitelist: | *Tag* | *Parameter* | | APPLET | archive, code, codebase | | EMBED | src, pluginspace, pluginurl | | OBJECT | archive, codebase | | SCRIPT | src | You can also enable filtering for *all* URIs, in which case URIs such as those used in the =action= attribute of =FORM= tags will also be filtered. The filter-in regular expressions and the disarming strings are all defined using the =configure= interface. See the setup for SafeWikiPlugin for more help. ---++ Notes for extensions (Plugins etc) authors As mentioned above, there is a risk that use of !SafeWikiPlugin might prevent your extension from working. If that is the case, it will usually be because you have tried to embed something in the HTML that the !SafeWikiPlugin regards as "naughty" - for example, inline script, complex expressions in handlers etc. The way to overcome this is to recode your plugin so that all script tags are generated in the HEAD section (using Foswiki::Func::addToHEAD). Handlers can still be used, but they cannot be any more complex than a simple call to a function. ---++ Installation Instructions You do not need to install anything in the browser to use this extension. The following instructions are for the administrator who installs the extension on the server. Open configure, and open the "Extensions" section. Use "Find More Extensions" to get a list of available extensions. Select "Install". If you have any problems, or if the extension isn't available in =configure=, then you can still install manually from the command-line. See http://foswiki.org/Support/ManuallyInstallingExtensions for more help. All plugin configuration is done through =configure=, in the "Security setup" section. You must run and save configure at least once to complete installation. ---++ Plugin Info Another great Foswiki extension from the <a style="text-decoration:none" href="http://wikiring.com"><img src="%ATTACHURLPATH%/wikiringlogo20x20.png" alt="" /> *WikiRing* </a> - working together to improve your wiki experience! Sponsors for support and improvements are always welcome. | Plugin Author(s): | Crawford Currie http://wikiring.com from an original idea by Sven Dowideit http://wikiring.com | | Copyright: | © 2007-2009 C-Dot Consultants http://c-dot.co.uk | | License: | [[http://www.gnu.org/licenses/gpl.html][GPL (Gnu General Public License)]] | | Plugin Version: | 5849 (2009-12-22) | | Change History: | <!-- versions below in reverse order --> | | 18 Nov 2009 | Foswiki:Task:Item1963: add configure checkers for basic sanity of {SafeURI} and {UnsafeURI} filter values; also complain if {AllowRedirectUrl} is true | | 12 Oct 2009 | Foswiki:Task:Item8255: fix extraneous (missing '!') <[endif]--> shown by IEs at top of page | | 17 Sep 2009 | Foswiki:Task:Item8220: support filtering of eval() calls by supporting filter-out for handlers, and URIs too while I was in there Foswiki:Task:Item1963: hardened the regex that selects where to get JS from to restrict it to the Foswiki System web, which is not normally writable by ordinary users | | 14 Jun 2009 | Foswiki:Task:Item8181: plugin made aware of use of foswikiStrikeOne which is needed to work with Foswiki 1.0.6 and later versions. | | 30 Apr 2009 | Foswiki:Task:Item8143: First public release | | Dependencies: | <table class="foswikiTable" border="1"><tr><th>Name</th><th>Version</th><th>Description</th></tr><tr><td align="left">HTML::Parser</td><td align="left">>=0</td><td align="left">Required</td></tr></table> | | Plugin Home: | http://foswiki.org/Extensions/SafeWikiPlugin | <!-- Do _not_ attempt to edit this topic; it is auto-generated. Please add comments/questions/remarks to the feedback topic on twiki.org instead. -->
This topic: System
>
SafeWikiPlugin
Topic revision:
02 Nov 2013,
UnknownUser
(raw view)
Copyright © CC-BY-SA by the contributing authors. All material on this collaboration platform is copyrighted under CC-BY-SA by the contributing authors unless otherwise noted.
Ideas, requests, problems regarding Foswiki?
Send feedback