security2Add my vote for this tag create new tag
, view all tags


Secure your TWiki so it can't be attacked using cross-scripting (XSS)

What it does

This plugin helps prevent evil people from using your wiki to mount cross-scripting attacks. It is intended to:

  • defuse any raw HTML entered in topics by an attacker,
  • disable script in URL parameters

Cross-scripting attacks don't just affect public wiki sites. For example, a footpad could mail one of your users with a crafted URL that, when clicked on, compromises your entire corporate intranet. All wikis, public or private, need protection against these attacks.

The plugin works by filtering the HTML output by TWiki as late as possible in the rendering process. It removes anything dodgy from the HTML, such as inline script tags, Javascript event handlers containing complex script, and URIs that refer to objects outside a controlled range of sites.

Whenever anything is filtered, a report is written to the TWiki warning log.

The plugin filters all HTML it thinks is dodgy from the output. There is a chance that one or more of the extensions you are using works by embedding naughty HTML. If you find that SafeWikiPlugin kills one or more of your other extensions, then you are advised to seek fixes from the authors of those extensions.

SafeWikiPlugin also has a 'clean html' switch that can make it report an error if malformed HTML is generated by TWiki.

It is unavoidable that there will be a performance penalty when using the plugin. The size of this penalty depends on your exact configuration, but benchmarks on 4.2.1 suggest that on average it is less than 1% of the total rendering time.


This software is provided in the hope that it may be useful. The authors make no warranty, implied or otherwise, about the suitability of this software for safety or security purposes.

The authors shall not in any case be liable for special, incidental, consequential, indirect or other similar damages arising from the use of this software.

If in any doubt do not use it.

Gory Details


The values of all Javascript on* handlers (such as onload, onmouseover, onblur etc) are automatically compared against a list of filter-in regular expressions, one of which must match, or the handler will be replaced by disarming string.

By default only simple function calls with atomic parameters are permitted in on* handlers. For example: javascript: fn(param1, "param2") is permitted, but javascript: alert(window.open("http://evilsite.cn")) is not.

Inline scripts (SCRIPT tags without a src parameter) are always filtered out (removed). URIs used in certain parameters are compared against a whitelist of filter-in regular expressions, one of which must match or the URI will be replaced with a disarming string.


By default the following URI parameters are checked against the whitelist:

Tag Parameter
APPLET archive, code, codebase
EMBED src, pluginspace, pluginurl
OBJECT archive, codebase

You can also enable filtering for all URIs, in which case URIs such as those used in the action attribute of FORM tags will also be filtered.

The filter-in regular expressions and the disarming strings are all defined using the configure interface. See the setup for SafeWikiPlugin for more help.

Notes for extensions (Plugins etc) authors

As mentioned above, there is a risk that use of SafeWikiPlugin might prevent your extension from working. If that is the case, it will usually be because you have tried to embed something in the HTML that the SafeWikiPlugin regards as "naughty" - for example, inline script, complex expressions in handlers etc.

The way to overcome this is to recode your plugin so that all script tags are generated in the HEAD section (using TWiki::Func::addToHEAD). Handlers can still be used, but they cannot be any more complex than a simple call to a function.

Installation Instructions

You do not need to install anything in the browser to use this extension. The following instructions are for the administrator who installs the extension on the server where TWiki is running.

Like many other TWiki extensions, this module is shipped with a fully automatic installer script written using the BuildContrib.

  • If you have TWiki 4.2 or later, you can install from the configure interface (Go to Plugins->Find More Extensions)
  • If you have any problems, then you can still install manually from the command-line:
    1. Download one of the .zip or .tgz archives
    2. Unpack the archive in the root directory of your TWiki installation.
    3. Run the installer script ( perl <module>_installer )
    4. Run configure and enable the module, if it is a plugin.
    5. Repeat for any missing dependencies.
  • If you are still having problems, then instead of running the installer script:
    1. Make sure that the file permissions allow the webserver user to access all files.
    2. Check in any installed files that have existing ,v files in your existing install (take care not to lock the files when you check in)
    3. Manually edit LocalSite.cfg to set any configuration variables.

No further steps are required to install on TWiki 4.2 and later. To install on TWiki 4 versions before 4.2.0, you will have to patch TWiki.pm as follows:

  1. Edit lib/TWiki.pm
  2. Locate the 'writeCompletePage' function
  3. Immediately before the line that reads:
    unless( $this->inContext('command_line')) {
add these lines:
   require TWiki::Plugins::SafeWikiPlugin;
   TWiki::Plugins::SafeWikiPlugin::completePageHandler($text, $contentType);
If your version of TWiki doesn't support plugin configuration from the configure interface, you will have to paste the contents of lib/TWiki/Plugins/SafeWikiPlugin/Config.spec into the end of lib/LocalSite.cfg and edit the configuration manually.

All plugin configuration is done through configure.

Plugin Info

Plugin Author: Crawford Currie wikiring.com from an original idea by Sven Dowideit wikiring.com
Copyright: © 2007-2008 C-Dot Consultants http://c-dot.co.uk;
© 2008-2010, TWiki:TWiki/TWikiContributor
License: GPL (Gnu General Public License)
Plugin Version: 18818 (2010-05-26)
2010-05-26: TWikibug:Item6433 - doc improvements; replacing TWIKIWEB with SYSTEMWEB
2008-08-06: Plugin configuration is done through configure
2008-01-30: Initial version
Change History:  
Plugin Home: http://twiki.org/cgi-bin/view/Plugins/SafeWikiPlugin
Feedback: http://twiki.org/cgi-bin/view/Plugins/SafeWikiPluginDev
Appraisal: http://twiki.org/cgi-bin/view/Plugins/SafeWikiPluginAppraisal

Related Topics: TWikiPlugins, DeveloperDocumentationCategory, AdminDocumentationCategory, TWikiPreferences

Topic attachments
I Attachment History Action Size Date Who Comment
Unknown file formatmd5 SafeWikiPlugin.md5 r3 r2 r1 manage 0.2 K 2010-05-27 - 05:29 PeterThoeny  
Compressed Zip archivetgz SafeWikiPlugin.tgz r3 r2 r1 manage 8.9 K 2010-05-27 - 05:29 PeterThoeny  
Compressed Zip archivezip SafeWikiPlugin.zip r3 r2 r1 manage 12.6 K 2010-05-27 - 05:29 PeterThoeny  
Unknown file formatEXT SafeWikiPlugin_installer r2 r1 manage 3.6 K 2010-05-27 - 05:29 PeterThoeny  
Edit | Attach | Watch | Print version | History: r7 < r6 < r5 < r4 < r3 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r7 - 2010-05-27 - PeterThoeny
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2016 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.