SafeWikiPlugin

Secure your Foswiki so it can't be attacked using cross-scripting (XSS)
What it does
This plugin helps prevent evil people from using your wiki to mount
cross-scripting
attacks. It is intended to:
- defuse any raw HTML entered in topics by an attacker,
- disable script in URL parameters
Cross-scripting attacks don't just affect public wiki sites. For example,
a footpad could mail one of your users with a crafted URL that, when
clicked on, compromises your entire corporate intranet.
All wikis, public
or private, need protection against these attacks.
The plugin works by filtering the HTML output by Foswiki as late as
possible in the rendering process. It removes anything dodgy from the
HTML, such as inline script tags, Javascript event handlers
containing complex script, and URIs that refer to objects outside a
controlled range of sites.
Whenever anything is filtered, a report is written to the Foswiki warning
log.
The plugin filters all HTML it thinks is dodgy from the output. There is
a chance that one or more of the extensions you are using works by embedding
naughty HTML. If you find that
SafeWikiPlugin kills one or more of your other extensions, then you are
advised to seek fixes from the authors of those extensions.
SafeWikiPlugin also has a 'clean html' switch that can make it report
an error if malformed HTML is generated by Foswiki.
It is unavoidable that there will be a performance penalty when using the
plugin. The size of this penalty depends on your exact configuration, but
benchmarks suggest that on average it is less than 1% of the total
rendering time.
WARNING
This software is provided in the hope that it may be useful.
The authors make no warranty, implied or otherwise, about the
suitability of this software for safety or security purposes.
The authors shall not in any case be liable for special, incidental,
consequential, indirect or other similar damages arising from the use
of this software.
If in
any doubt, do not use it.
Gory Details
Javascript
The values of all Javascript on* handlers (such as
onload
,
onmouseover
,
onblur
etc) are automatically compared against a list of filter-in regular
expressions, one of which must match, or the handler will be replaced
by a disarming string.
By default only simple function calls with atomic parameters are
permitted in on* handlers. For example:
javascript: fn(param1, "param2")
is permitted,
but
javascript: alert(window.open("http://evilsite.cn"))
is not.
Inline scripts (SCRIPT tags without a
src
parameter) are always
filtered out (removed). URIs used in certain parameters are compared
against a whitelist of filter-in regular expressions, one of which must match
or the URI will be replaced with a disarming string.
URIs
By default the following URI parameters are checked against the
whitelist:
Tag |
Parameter |
APPLET |
archive, code, codebase |
EMBED |
src, pluginspace, pluginurl |
OBJECT |
archive, codebase |
SCRIPT |
src |
You can also enable filtering for
all URIs, in which case URIs
such as those used in the
action
attribute of
FORM
tags will also be
filtered.
The filter-in regular expressions and the disarming strings are all
defined using the
configure
interface. See the setup for
SafeWikiPlugin
for more help.
Notes for extensions (Plugins etc) authors
As mentioned above, there is a risk that use of SafeWikiPlugin might
prevent your extension from working. If that is the case, it will usually
be because you have tried to embed something in the HTML that the
SafeWikiPlugin regards as "naughty" - for example, inline script,
complex expressions in handlers etc.
The way to overcome this is to recode your plugin so that all script tags
are generated in the HEAD section (using Foswiki::Func::addToHEAD). Handlers
can still be used, but they cannot be any more complex than a simple call
to a function.
Installation Instructions
You do not need to install anything in the browser to use this extension. The following instructions are for the administrator who installs the extension on the server.
Open configure, and open the "Extensions" section. Use "Find More Extensions" to get a list of available extensions. Select "Install".
If you have any problems, or if the extension isn't available in
configure
, then you can still install manually from the command-line. See
http://foswiki.org/Support/ManuallyInstallingExtensions for more help.
All plugin configuration is done through
configure
, in the "Security setup" section. You must run and save configure at least once to complete installation.
Plugin Info
Another great Foswiki extension from the
WikiRing - working together to improve your wiki experience!
Sponsors for support and improvements are always welcome.