ikiwiki/doc/plugins/htmlscrubber.mdwn

[[template id=plugin name=htmlscrubber core=1 author="[[Joey]]"]]
[[tag type/html]]

This plugin is enabled by default. It sanitizes the html on pages it renders
to avoid XSS attacks and the like.

It excludes all html tags and attributes except for those that are
whitelisted using the same lists as used by Mark Pilgrim's Universal Feed
Parser, documented at <http://feedparser.org/docs/html-sanitization.html>.
Notably it strips `style`, `link`, and the `style` attribute.

It uses the [[cpan HTML::Scrubber]] perl module to perform its html
sanitisation, and this perl module also deals with various entity encoding
tricks.

While I believe that this makes ikiwiki as resistant to malicious html
content as anything else on the web, I cannot guarantee that it will
actually protect every user of every browser from every browser security
hole, badly designed feature, etc. I can provide NO WARRANTY, like it says
in ikiwiki's [[GPL]] license. 

The web's security model is *fundamentally broken*; ikiwiki's html
sanitisation is only a patch on the underlying gaping hole that is your web
browser.

Note that enabling or disabling the htmlscrubber plugin also affects some other
HTML-related functionality, such as whether [[meta]] allows potentially unsafe
HTML tags.

----

Some examples of embedded javascript that won't be let through when this
plugin is active:

* <span style="background: url(javascript:window.location='http://example.org/')">test</span>
* <span style="&#x61;&#x6e;&#x79;&#x3a;&#x20;&#x65;&#x78;&#x70;&#x72;&#x65;&#x73;&#x73;&#x69;&#x6f;&#x6e;&#x28;&#x77;&#x69;&#x6e;&#x64;&#x6f;&#x77;&#x2e;&#x6c;&#x6f;&#x63;&#x61;&#x74;&#x69;&#x6f;&#x6e;&#x3d;&#x27;&#x68;&#x74;&#x74;&#x70;&#x3a;&#x2f;&#x2f;&#x65;&#x78;&#x61;&#x6d;&#x70;&#x6c;&#x65;&#x2e;&#x6f;&#x72;&#x67;&#x2f;&#x27;&#x29;">test</span>
* <span style="&#97;&#110;&#121;&#58;&#32;&#101;&#120;&#112;&#114;&#101;&#115;&#115;&#105;&#111;&#110;&#40;&#119;&#105;&#110;&#100;&#111;&#119;&#46;&#108;&#111;&#99;&#97;&#116;&#105;&#111;&#110;&#61;&#39;&#104;&#116;&#116;&#112;&#58;&#47;&#47;&#101;&#120;&#97;&#109;&#112;&#108;&#101;&#46;&#111;&#114;&#103;&#47;&#39;&#41;">test</span>
simplified plugin definitions 2007-02-13 19:51:21 +01:00			`[[template id=plugin name=htmlscrubber core=1 author="[[Joey]]"]]`
* Allow multiple tag settings to appear in a single page. 2007-02-14 05:05:08 +01:00			`[[tag type/html]]`
* Allow preprocessor directives to contain python-like triple-quoted text blocks, for easy nesting of quotes inside. * Add a template plugin. * Use the template plugin to add infoboxes to each plugin page listing basic info about the plugin. 2006-08-23 07:41:07 +02:00
* Removed --sanitize and --no-sanitize, replaced with --plugin htmlscrubber and --disable-plugin htmlscrubber. 2006-05-05 07:41:11 +02:00			`This plugin is enabled by default. It sanitizes the html on pages it renders`
			`to avoid XSS attacks and the like.`
implemented html sanitisation 2006-04-25 05:18:21 +02:00
* Removed --sanitize and --no-sanitize, replaced with --plugin htmlscrubber and --disable-plugin htmlscrubber. 2006-05-05 07:41:11 +02:00			`It excludes all html tags and attributes except for those that are`
implemented html sanitisation 2006-04-25 05:18:21 +02:00			`whitelisted using the same lists as used by Mark Pilgrim's Universal Feed`
			`Parser, documented at <http://feedparser.org/docs/html-sanitization.html>.`
			Notably it strips `style`, `link`, and the `style` attribute.

shortcut stuff 2006-11-20 12:31:23 +01:00			`It uses the [[cpan HTML::Scrubber]] perl module to perform its html`
implemented html sanitisation 2006-04-25 05:18:21 +02:00			`sanitisation, and this perl module also deals with various entity encoding`
			`tricks.`

web commit by joey 2006-04-25 05:23:49 +02:00			`While I believe that this makes ikiwiki as resistant to malicious html`
implemented html sanitisation 2006-04-25 05:18:21 +02:00			`content as anything else on the web, I cannot guarantee that it will`
			`actually protect every user of every browser from every browser security`
			`hole, badly designed feature, etc. I can provide NO WARRANTY, like it says`
broken link 2007-04-06 19:34:35 +02:00			`in ikiwiki's [[GPL]] license.`
implemented html sanitisation 2006-04-25 05:18:21 +02:00
web commit by joey 2006-04-25 05:23:26 +02:00			`The web's security model is fundamentally broken; ikiwiki's html`
implemented html sanitisation 2006-04-25 05:18:21 +02:00			`sanitisation is only a patch on the underlying gaping hole that is your web`
			`browser.`

Note that enabling or disabling the htmlscrubber plugin also affects some other HTML-related functionality, such as whether [[meta]] allows potentially unsafe HTML tags. 2007-03-26 23:39:18 +02:00			`Note that enabling or disabling the htmlscrubber plugin also affects some other`
			`HTML-related functionality, such as whether [[meta]] allows potentially unsafe`
			`HTML tags.`

implemented html sanitisation 2006-04-25 05:18:21 +02:00			`----`

* Removed --sanitize and --no-sanitize, replaced with --plugin htmlscrubber and --disable-plugin htmlscrubber. 2006-05-05 07:41:11 +02:00			`Some examples of embedded javascript that won't be let through when this`
			`plugin is active:`
implemented html sanitisation 2006-04-25 05:18:21 +02:00
web commit by joey 2006-04-25 05:36:25 +02:00			`* <span style="background: url(javascript:window.location='http://example.org/')">test</span>`
			`* <span style="any: expression(window.location='http://example.org/')">test</span>`
			`* <span style="any: expression(window.location='http://example.org/')">test</span>`