Документ взят из кэша поисковой машины. Адрес
оригинального документа
: http://wiki.cs.msu.ru/System/SafeWikiPlugin?cover=print;rev=2
Дата изменения: Unknown Дата индексирования: Mon Apr 11 00:57:06 2016 Кодировка: |
The plugin works by filtering the HTML output by Foswiki as late as possible in the rendering process. It removes anything dodgy from the HTML, such as inline script tags, Javascript event handlers containing complex script, and URIs that refer to objects outside a controlled range of sites.
Whenever anything is filtered, a report is written to the Foswiki warning log.
The plugin filters all HTML it thinks is dodgy from the output. There is a chance that one or more of the extensions you are using works by embedding naughty HTML. If you find that SafeWikiPlugin kills one or more of your other extensions, then you are advised to seek fixes from the authors of those extensions.
SafeWikiPlugin also has a 'clean html' switch that can make it report an error if malformed HTML is generated by Foswiki.
It is unavoidable that there will be a performance penalty when using the plugin. The size of this penalty depends on your exact configuration, but benchmarks suggest that on average it is less than 1% of the total rendering time.
The authors shall not in any case be liable for special, incidental, consequential, indirect or other similar damages arising from the use of this software.
If in any doubt, do not use it.onload
, onmouseover
, onblur
etc) are automatically compared against a list of filter-in regular
expressions, one of which must match, or the handler will be replaced
by a disarming string.
By default only simple function calls with atomic parameters are
permitted in on* handlers. For example:
javascript: fn(param1, "param2")
is permitted,
but javascript: alert(window.open("http://evilsite.cn"))
is not.
Inline scripts (SCRIPT tags without a src
parameter) are always
filtered out (removed). URIs used in certain parameters are compared
against a whitelist of filter-in regular expressions, one of which must match
or the URI will be replaced with a disarming string.
Tag | Parameter |
---|---|
APPLET | archive, code, codebase |
EMBED | src, pluginspace, pluginurl |
OBJECT | archive, codebase |
SCRIPT | src |
action
attribute of FORM
tags will also be
filtered.
The filter-in regular expressions and the disarming strings are all
defined using the configure
interface. See the setup for SafeWikiPlugin
for more help.
The way to overcome this is to recode your plugin so that all script tags are generated in the HEAD section (using Foswiki::Func::addToHEAD). Handlers can still be used, but they cannot be any more complex than a simple call to a function.
You do not need to install anything in the browser to use this extension. The following instructions are for the administrator who installs the extension on the server.
Open configure, and open the "Extensions" section. Use "Find More Extensions" to get a list of available extensions. Select "Install".
If you have any problems, or if the extension isn't available inconfigure
, then you can still install manually from the command-line. See http://foswiki.org/Support/ManuallyInstallingExtensions for more help.
All plugin configuration is done through configure
, in the "Security setup" section. You must run and save configure at least once to complete installation.
Sponsors for support and improvements are always welcome.
Plugin Author(s): | Crawford Currie http://wikiring.com from an original idea by Sven Dowideit http://wikiring.com | ||||||
Copyright: | © 2007-2009 C-Dot Consultants http://c-dot.co.uk | ||||||
License: | GPL (Gnu General Public License) | ||||||
Plugin Version: | 5849 (2009-12-22) | ||||||
Change History: | |||||||
18 Nov 2009 | Foswiki:Task:Item1963: add configure checkers for basic sanity of {SafeURI} and {UnsafeURI} filter values; also complain if {AllowRedirectUrl} is true | ||||||
12 Oct 2009 | Foswiki:Task:Item8255: fix extraneous (missing '!') <[endif]--> shown by IEs at top of page | ||||||
17 Sep 2009 | Foswiki:Task:Item8220: support filtering of eval() calls by supporting filter-out for handlers, and URIs too while I was in there Foswiki:Task:Item1963: hardened the regex that selects where to get JS from to restrict it to the Foswiki System web, which is not normally writable by ordinary users | ||||||
14 Jun 2009 | Foswiki:Task:Item8181: plugin made aware of use of foswikiStrikeOne which is needed to work with Foswiki 1.0.6 and later versions. | ||||||
30 Apr 2009 | Foswiki:Task:Item8143: First public release | ||||||
Dependencies: |
|
||||||
Plugin Home: | http://foswiki.org/Extensions/SafeWikiPlugin |
I | Attachment | Action | Size | Date | Who | Comment |
---|---|---|---|---|---|---|
png | safewiki.png | manage | 25.4 K | 22 Dec 2009 - 10:14 | AdminUser | |
png | wikiringlogo20x20.png | manage | 1.3 K | 22 Dec 2009 - 10:14 | AdminUser |