SafeWikiPlugin

Secure your Foswiki so it can't be attacked using cross-scripting (XSS)

What it does

This plugin helps prevent evil people from using your wiki to mount cross-scripting attacks. It is intended to:

• defuse any raw HTML entered in topics by an attacker,
• disable script in URL parameters

Cross-scripting attacks don't just affect public wiki sites. For example, a footpad could mail one of your users with a crafted URL that, when clicked on, compromises your entire corporate intranet. All wikis, public or private, need protection against these attacks.

The plugin works by filtering the HTML output by Foswiki as late as possible in the rendering process. It removes anything dodgy from the HTML, such as inline script tags, Javascript event handlers containing complex script, and URIs that refer to objects outside a controlled range of sites.

Whenever anything is filtered, a report is written to the Foswiki warning log.

The plugin filters all HTML it thinks is dodgy from the output. There is a chance that one or more of the extensions you are using works by embedding naughty HTML. If you find that SafeWikiPlugin kills one or more of your other extensions, then you are advised to seek fixes from the authors of those extensions.

SafeWikiPlugin also has a 'clean html' switch that can make it report an error if malformed HTML is generated by Foswiki.

It is unavoidable that there will be a performance penalty when using the plugin. The size of this penalty depends on your exact configuration, but benchmarks suggest that on average it is less than 1% of the total rendering time.

WARNING

This software is provided in the hope that it may be useful. The authors make no warranty, implied or otherwise, about the suitability of this software for safety or security purposes.

The authors shall not in any case be liable for special, incidental, consequential, indirect or other similar damages arising from the use of this software.

If in any doubt, do not use it.

Gory Details

Javascript

The values of all Javascript on* handlers (such as onload, onmouseover, onblur etc) are automatically compared against a list of filter-in regular expressions, one of which must match, or the handler will be replaced by a disarming string.

By default only simple function calls with atomic parameters are permitted in on* handlers. For example: javascript: fn(param1, "param2") is permitted, but javascript: alert(window.open("http://evilsite.cn")) is not.

Inline scripts (SCRIPT tags without a src parameter) are always filtered out (removed). URIs used in certain parameters are compared against a whitelist of filter-in regular expressions, one of which must match or the URI will be replaced with a disarming string.

URIs

By default the following URI parameters are checked against the whitelist:

Tag	Parameter
APPLET	archive, code, codebase
EMBED	src, pluginspace, pluginurl
OBJECT	archive, codebase
SCRIPT	src

You can also enable filtering for all URIs, in which case URIs such as those used in the action attribute of FORM tags will also be filtered.

The filter-in regular expressions and the disarming strings are all defined using the configure interface. See the setup for SafeWikiPlugin for more help.

Notes for extensions (Plugins etc) authors

As mentioned above, there is a risk that use of SafeWikiPlugin might prevent your extension from working. If that is the case, it will usually be because you have tried to embed something in the HTML that the SafeWikiPlugin regards as "naughty" - for example, inline script, complex expressions in handlers etc.

The way to overcome this is to recode your plugin so that all script tags are generated in the HEAD section (using Foswiki::Func::addToHEAD). Handlers can still be used, but they cannot be any more complex than a simple call to a function.

Installation Instructions

You do not need to install anything in the browser to use this extension. The following instructions are for the administrator who installs the extension on the server.

Open configure, and open the "Extensions" section. Use "Find More Extensions" to get a list of available extensions. Select "Install".

If you have any problems, or if the extension isn't available in configure, then you can still install manually from the command-line. See http://foswiki.org/Support/ManuallyInstallingExtensions for more help.

All plugin configuration is done through configure, in the "Security setup" section. You must run and save configure at least once to complete installation.

Plugin Info

Another great Foswiki extension from the WikiRing - working together to improve your wiki experience!

Sponsors for support and improvements are always welcome.

Plugin Author(s):	Crawford Currie http://wikiring.com from an original idea by Sven Dowideit http://wikiring.com
Copyright:	© 2007-2009 C-Dot Consultants http://c-dot.co.uk
License:	GPL (Gnu General Public License)
Plugin Version:	5849 (2009-12-22)
Change History:
18 Nov 2009	Foswiki:Task:Item1963: add configure checkers for basic sanity of {SafeURI} and {UnsafeURI} filter values; also complain if {AllowRedirectUrl} is true
12 Oct 2009	Foswiki:Task:Item8255: fix extraneous (missing '!') <[endif]--> shown by IEs at top of page
17 Sep 2009	Foswiki:Task:Item8220: support filtering of eval() calls by supporting filter-out for handlers, and URIs too while I was in there Foswiki:Task:Item1963: hardened the regex that selects where to get JS from to restrict it to the Foswiki System web, which is not normally writable by ordinary users
14 Jun 2009	Foswiki:Task:Item8181: plugin made aware of use of foswikiStrikeOne which is needed to work with Foswiki 1.0.6 and later versions.
30 Apr 2009	Foswiki:Task:Item8143: First public release
Dependencies:	Name Version Description HTML::Parser >=0 Required
Plugin Home:	http://foswiki.org/Extensions/SafeWikiPlugin