diff options
author | joey <joey@0fa5a96a-9a0e-0410-b3b2-a0fd24251071> | 2006-04-25 03:18:21 +0000 |
---|---|---|
committer | joey <joey@0fa5a96a-9a0e-0410-b3b2-a0fd24251071> | 2006-04-25 03:18:21 +0000 |
commit | d7aecf6ddc19d1dac30ec5616134c2a7e7f4d573 (patch) | |
tree | 8fd8153d97e2e5ce8e96533d1f750a71e789ab52 /doc/htmlsanitization.mdwn | |
parent | 5e1db8afa91c027284e4a800449b6a5a00b4d12e (diff) |
implemented html sanitisation
Diffstat (limited to 'doc/htmlsanitization.mdwn')
-rw-r--r-- | doc/htmlsanitization.mdwn | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/doc/htmlsanitization.mdwn b/doc/htmlsanitization.mdwn new file mode 100644 index 000000000..617753e86 --- /dev/null +++ b/doc/htmlsanitization.mdwn @@ -0,0 +1,30 @@ +When run with the --sanitize switch, which is turned on by default (see +[[usage]], ikiwiki sanitizes the html on pages it renders to avoid XSS +attacks and the like. + +ikiwiki excludes all html tags and attributes except for those that are +whitelisted using the same lists as used by Mark Pilgrim's Universal Feed +Parser, documented at <http://feedparser.org/docs/html-sanitization.html>. +Notably it strips `style`, `link`, and the `style` attribute. + +ikiwiki uses the HTML::Scrubber perl module to perform its html +sanitisation, and this perl module also deals with various entity encoding +tricks. + +While I beleive that this makes ikiwiki as resistant to malicious html +content as anything else on the web, I cannot guarantee that it will +actually protect every user of every browser from every browser security +hole, badly designed feature, etc. I can provide NO WARRANTY, like it says +in ikiwiki's [[GPL]] license. + +The web's security model is *fundamntally broken*; ikiwiki's HTML +sanitisation is only a patch on the underlying gaping hole that is your web +browser. + +---- + +Some examples of embedded javascript that won't be let through. + +<span style="background: url(javascript:window.location='http://example.org/')">test</span> +<span style="any: expression(window.location='http://example.org/')">test</span> +<span style="any: expression(window.location='http://example.org/')">test</span> |