ikiwiki/doc/plugins/htmlscrubber.mdwn

[[template id=plugin name=htmlscrubber core=1 author="[[Joey]]"]]
[[tag type/html]]

This plugin is enabled by default. It sanitizes the html on pages it renders
to avoid XSS attacks and the like.

It excludes all html tags and attributes except for those that are
whitelisted using the same lists as used by Mark Pilgrim's Universal Feed
Parser, documented at <http://feedparser.org/docs/html-sanitization.html>.
Notably it strips `style` and `link` tags, and the `style` attribute.

All attributes that can be used to specify an url are checked to make sure
that the url is in a known, safe scheme, and to block embedded javascript
in such urls.

It uses the [[cpan HTML::Scrubber]] perl module to perform its html
sanitisation, and this perl module also deals with various entity encoding
tricks.

While I believe that this makes ikiwiki as resistant to malicious html
content as anything else on the web, I cannot guarantee that it will
actually protect every user of every browser from every browser security
hole, badly designed feature, etc. I can provide NO WARRANTY, like it says
in ikiwiki's [[GPL]] license. 

The web's security model is *fundamentally broken*; ikiwiki's html
sanitisation is only a patch on the underlying gaping hole that is your web
browser.

Note that enabling or disabling the htmlscrubber plugin also affects some
other HTML-related functionality, such as whether [[meta]] allows
potentially unsafe HTML tags.

----

Some examples of embedded javascript that won't be let through when this
plugin is active:

* script tag test <script>window.location='http://example.org';</script>
* <span style="background: url(javascript:window.location='http://example.org/')">CSS script test</span>
* <span style="&#x61;&#x6e;&#x79;&#x3a;&#x20;&#x65;&#x78;&#x70;&#x72;&#x65;&#x73;&#x73;&#x69;&#x6f;&#x6e;&#x28;&#x77;&#x69;&#x6e;&#x64;&#x6f;&#x77;&#x2e;&#x6c;&#x6f;&#x63;&#x61;&#x74;&#x69;&#x6f;&#x6e;&#x3d;&#x27;&#x68;&#x74;&#x74;&#x70;&#x3a;&#x2f;&#x2f;&#x65;&#x78;&#x61;&#x6d;&#x70;&#x6c;&#x65;&#x2e;&#x6f;&#x72;&#x67;&#x2f;&#x27;&#x29;">entity-encoded CSS script test</span>
* <span style="&#97;&#110;&#121;&#58;&#32;&#101;&#120;&#112;&#114;&#101;&#115;&#115;&#105;&#111;&#110;&#40;&#119;&#105;&#110;&#100;&#111;&#119;&#46;&#108;&#111;&#99;&#97;&#116;&#105;&#111;&#110;&#61;&#39;&#104;&#116;&#116;&#112;&#58;&#47;&#47;&#101;&#120;&#97;&#109;&#112;&#108;&#101;&#46;&#111;&#114;&#103;&#47;&#39;&#41;">entity-encoded CSS script test</span>
* <a href="javascript&#x3A;alert('foo')">click me</a>
simplified plugin definitions 2007-02-13 19:51:21 +01:00			`[[template id=plugin name=htmlscrubber core=1 author="[[Joey]]"]]`
* Allow multiple tag settings to appear in a single page. 2007-02-14 05:05:08 +01:00			`[[tag type/html]]`
* Allow preprocessor directives to contain python-like triple-quoted text blocks, for easy nesting of quotes inside. * Add a template plugin. * Use the template plugin to add infoboxes to each plugin page listing basic info about the plugin. 2006-08-23 07:41:07 +02:00
* Removed --sanitize and --no-sanitize, replaced with --plugin htmlscrubber and --disable-plugin htmlscrubber. 2006-05-05 07:41:11 +02:00			`This plugin is enabled by default. It sanitizes the html on pages it renders`
			`to avoid XSS attacks and the like.`
implemented html sanitisation 2006-04-25 05:18:21 +02:00
* Removed --sanitize and --no-sanitize, replaced with --plugin htmlscrubber and --disable-plugin htmlscrubber. 2006-05-05 07:41:11 +02:00			`It excludes all html tags and attributes except for those that are`
implemented html sanitisation 2006-04-25 05:18:21 +02:00			`whitelisted using the same lists as used by Mark Pilgrim's Universal Feed`
			`Parser, documented at <http://feedparser.org/docs/html-sanitization.html>.`
on second thought, simple alphanumeric styles are not actually useful (class is already supported), and anything more complex is too hard to do, so revert 2007-07-11 19:57:02 +02:00			Notably it strips `style` and `link` tags, and the `style` attribute.
implemented html sanitisation 2006-04-25 05:18:21 +02:00
update 2008-02-10 23:27:59 +01:00			`All attributes that can be used to specify an url are checked to make sure`
			`that the url is in a known, safe scheme, and to block embedded javascript`
			`in such urls.`

shortcut stuff 2006-11-20 12:31:23 +01:00			`It uses the [[cpan HTML::Scrubber]] perl module to perform its html`
implemented html sanitisation 2006-04-25 05:18:21 +02:00			`sanitisation, and this perl module also deals with various entity encoding`
			`tricks.`

web commit by joey 2006-04-25 05:23:49 +02:00			`While I believe that this makes ikiwiki as resistant to malicious html`
implemented html sanitisation 2006-04-25 05:18:21 +02:00			`content as anything else on the web, I cannot guarantee that it will`
			`actually protect every user of every browser from every browser security`
			`hole, badly designed feature, etc. I can provide NO WARRANTY, like it says`
broken link 2007-04-06 19:34:35 +02:00			`in ikiwiki's [[GPL]] license.`
implemented html sanitisation 2006-04-25 05:18:21 +02:00
web commit by joey 2006-04-25 05:23:26 +02:00			`The web's security model is fundamentally broken; ikiwiki's html`
implemented html sanitisation 2006-04-25 05:18:21 +02:00			`sanitisation is only a patch on the underlying gaping hole that is your web`
			`browser.`

update 2008-02-10 23:27:59 +01:00			`Note that enabling or disabling the htmlscrubber plugin also affects some`
			`other HTML-related functionality, such as whether [[meta]] allows`
			`potentially unsafe HTML tags.`
Note that enabling or disabling the htmlscrubber plugin also affects some other HTML-related functionality, such as whether [[meta]] allows potentially unsafe HTML tags. 2007-03-26 23:39:18 +02:00
implemented html sanitisation 2006-04-25 05:18:21 +02:00			`----`

* Removed --sanitize and --no-sanitize, replaced with --plugin htmlscrubber and --disable-plugin htmlscrubber. 2006-05-05 07:41:11 +02:00			`Some examples of embedded javascript that won't be let through when this`
			`plugin is active:`
implemented html sanitisation 2006-04-25 05:18:21 +02:00
web commit by JoshTriplett: Add another example, and add a description to each test. 2007-05-08 22:55:43 +02:00			`* script tag test <script>window.location='http://example.org';</script>`
			`* <span style="background: url(javascript:window.location='http://example.org/')">CSS script test</span>`
			`* <span style="any: expression(window.location='http://example.org/')">entity-encoded CSS script test</span>`
			`* <span style="any: expression(window.location='http://example.org/')">entity-encoded CSS script test</span>`
* htmlscrubber security fix: Block javascript in uris. * Add htmlscrubber test suite. 2008-02-10 19:16:40 +01:00			`* <a href="javascript:alert('foo')">click me</a>`