diff options
author | joey <joey@0fa5a96a-9a0e-0410-b3b2-a0fd24251071> | 2006-05-05 05:41:11 +0000 |
---|---|---|
committer | joey <joey@0fa5a96a-9a0e-0410-b3b2-a0fd24251071> | 2006-05-05 05:41:11 +0000 |
commit | 6652de5e1abcaac3ee2f4bf17e5a4b847fcadb0d (patch) | |
tree | 29c76e12b318309401a3274e13891210f275bf83 /doc/htmlsanitization.mdwn | |
parent | 157df8591f03ade7504ad732446f125ae8609b05 (diff) |
* Removed --sanitize and --no-sanitize, replaced with --plugin htmlscrubber
and --disable-plugin htmlscrubber.
Diffstat (limited to 'doc/htmlsanitization.mdwn')
-rw-r--r-- | doc/htmlsanitization.mdwn | 30 |
1 files changed, 0 insertions, 30 deletions
diff --git a/doc/htmlsanitization.mdwn b/doc/htmlsanitization.mdwn deleted file mode 100644 index 2c814e8e4..000000000 --- a/doc/htmlsanitization.mdwn +++ /dev/null @@ -1,30 +0,0 @@ -When run with the `--sanitize` switch, which is turned on by default (see -[[usage]]), ikiwiki sanitizes the html on pages it renders to avoid XSS -attacks and the like. - -ikiwiki excludes all html tags and attributes except for those that are -whitelisted using the same lists as used by Mark Pilgrim's Universal Feed -Parser, documented at <http://feedparser.org/docs/html-sanitization.html>. -Notably it strips `style`, `link`, and the `style` attribute. - -ikiwiki uses the HTML::Scrubber perl module to perform its html -sanitisation, and this perl module also deals with various entity encoding -tricks. - -While I believe that this makes ikiwiki as resistant to malicious html -content as anything else on the web, I cannot guarantee that it will -actually protect every user of every browser from every browser security -hole, badly designed feature, etc. I can provide NO WARRANTY, like it says -in ikiwiki's [GPL](GPL) license. - -The web's security model is *fundamentally broken*; ikiwiki's html -sanitisation is only a patch on the underlying gaping hole that is your web -browser. - ----- - -Some examples of embedded javascript that won't be let through. - -* <span style="background: url(javascript:window.location='http://example.org/')">test</span> -* <span style="any: expression(window.location='http://example.org/')">test</span> -* <span style="any: expression(window.location='http://example.org/')">test</span> |