Secure your Foswiki so it can't be attacked using cross-scripting (XSS)
What it does
This plugin helps prevent evil people from using your wiki to mount
attacks. It is intended to:
- defuse any raw HTML entered in topics by an attacker,
- disable script in URL parameters
Cross-scripting attacks don't just affect public wiki sites. For example,
a footpad could mail one of your users with a crafted URL that, when
clicked on, compromises your entire corporate intranet. All
or private, need protection against these attacks.
The plugin works by filtering the HTML output by Foswiki as late as
possible in the rendering process. It removes anything dodgy from the
containing complex script, and URIs that refer to objects outside a
controlled range of sites.
Whenever anything is filtered, a report is written to the Foswiki warning
The plugin filters all HTML it thinks is dodgy from the output. There is
a chance that one or more of the extensions you are using works by embedding
naughty HTML. If you find that
SafeWikiPlugin kills one or more of your other extensions, then you are
advised to seek fixes from the authors of those extensions.
SafeWikiPlugin also has a 'clean html' switch that can make it report
an error if malformed HTML is generated by Foswiki.
It is unavoidable that there will be a performance penalty when using the
plugin. The size of this penalty depends on your exact configuration, but
benchmarks suggest that on average it is less than 1% of the total
This software is provided in the hope that it may be useful.
The authors make no warranty, implied or otherwise, about the
suitability of this software for safety or security purposes.
The authors shall not in any case be liable for special, incidental,
consequential, indirect or other similar damages arising from the use
of this software.
If in any
doubt, do not use it.
etc) are automatically compared against a list of filter-in regular
expressions, one of which must match, or the handler will be replaced
by a disarming string.
By default only simple function calls with atomic parameters are
permitted in on* handlers. For example:
Inline scripts (SCRIPT tags without a
parameter) are always
filtered out (removed). URIs used in certain parameters are compared
against a whitelist of filter-in regular expressions, one of which must match
or the URI will be replaced with a disarming string.
By default the following URI parameters are checked against the
|| archive, code, codebase
|| src, pluginspace, pluginurl
|| archive, codebase
You can also enable filtering for all
URIs, in which case URIs
such as those used in the
tags will also be
The filter-in regular expressions and the disarming strings are all
defined using the
interface. See the setup for SafeWikiPlugin
for more help.
Notes for extensions (Plugins etc) authors
As mentioned above, there is a risk that use of SafeWikiPlugin might
prevent your extension from working. If that is the case, it will usually
be because you have tried to embed something in the HTML that the
SafeWikiPlugin regards as "naughty" - for example, inline script,
complex expressions in handlers etc.
The way to overcome this is to recode your plugin so that all script tags
are generated in the HEAD section (using Foswiki::Func::addToHEAD). Handlers
can still be used, but they cannot be any more complex than a simple call
to a function.
You do not need to install anything in the browser to use this extension. The following instructions are for the administrator who installs the extension on the server.
Open configure, and open the "Extensions" section. Use "Find More Extensions" to get a list of available extensions. Select "Install".
If you have any problems, or if the extension isn't available in
, then you can still install manually from the command-line. See http://foswiki.org/Support/ManuallyInstallingExtensions
for more help.
All plugin configuration is done through
, in the "Security setup" section. You must run and save configure at least once to complete installation.
Another great Foswiki extension from the WikiRing
- working together to improve your wiki experience!
Sponsors for support and improvements are always welcome.