Tags:
create new tag
, view all tags

Feature Proposal: ENCODE and URLPARAM Variables with new "moderate" encoding

Motivation

The type="safe" is the default mode for ENCODE and URLPARAM. It escapes some characters to reduce the chance of cross-site scripting attacks. With this, TWiki variables are escaped as well because the percent character is escaped.

This proposal adds a type="moderate" mode that acts like type="safe" but excludes the percent character. That way, %BR% and other TWiki variables function properly when added in a CommentPlugin comment box.

TWikibug:Item6276 (cannot specify percentBRpercent for newline value) currently fixes this issue by using type="off", which opens comment boxes to cross-site scripting attacks. I recommend to add type="moderate" mode, which is a relatively safe middle ground.

Description and Documentation

In VarENCODE add this:

Parameter: Description: Default:
type="moderate" Encode special characters into HTML entities to avoid XSS exploits: "<", ">", single quote (') and double quote ("). The percent character (%) is not escaped, useful to allow TWiki variables in comment boxes. type="url"

In VarURLPARAM add this:

Parameter: Description: Default:
encode="moderate" Encode special characters into HTML entities to avoid XSS exploits: "<", ">", single quote (') and double quote ("). The percent character (%) is not escaped, useful to allow TWiki variables in comment boxes. encode="safe"

Examples

Impact

WhatDoesItAffect: Security

Implementation

-- Contributors: PeterThoeny - 2010-03-01

Discussion

Edit | Attach | Watch | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r3 - 2010-03-07 - PeterThoeny
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.