%META:TOPICINFO{author="TWikiContributor" date="1273038748" format="1.1" version="$Rev$"}%
---+!! !SafeWikiPlugin
<!--
   Contributions to this plugin are appreciated. Please update the plugin page at
   http://twiki.org/cgi-bin/view/Plugins/SafeWikiPlugin or provide feedback at
   http://twiki.org/cgi-bin/view/Plugins/SafeWikiPluginDev.
   If you are a TWiki contributor please update the plugin in the SVN repository.

   * Set SHORTDESCRIPTION = Secure your TWiki so it can't be attacked using cross-scripting (XSS)
-->
<div style="float:right; background-color:#EBEEF0; margin:0 0 20px 20px; padding: 0 10px 0 10px;">
%TOC{title="Page contents"}%
</div>
%SHORTDESCRIPTION%

---++ What it does

This plugin helps prevent evil people from using your wiki to mount
[[http://en.wikipedia.org/wiki/Cross-site_scripting][cross-scripting]]
attacks. It is intended to:
   * defuse any raw HTML entered in topics by an attacker,
   * disable script in URL parameters

Cross-scripting attacks don't just affect public wiki sites. For example,
a footpad could mail one of your users with a crafted URL that, when
clicked on, compromises your entire corporate intranet. *All* wikis, public
or private, need protection against these attacks.

The plugin works by filtering the HTML output by TWiki as late as
possible in the rendering process. It removes anything dodgy from the
HTML, such as inline script tags, Javascript event handlers
containing complex script, and URIs that refer to objects outside a
controlled range of sites.

Whenever anything is filtered, a report is written to the TWiki warning
log.

The plugin filters all HTML it thinks is dodgy from the output. There is
a chance that one or more of the extensions you are using works by embedding
naughty HTML. If you find that
!SafeWikiPlugin kills one or more of your other extensions, then you are
advised to seek fixes from the authors of those extensions.

!SafeWikiPlugin also has a 'clean html' switch that can make it report
an error if malformed HTML is generated by TWiki. 

It is unavoidable that there will be a performance penalty when using the
plugin. The size of this penalty depends on your exact configuration, but
benchmarks on 4.2.1 suggest that on average it is less than 1% of the total
rendering time.

---++ WARNING

This software is provided in the hope that it may be useful.
The authors make no warranty, implied or otherwise, about the
suitability of this software for safety or security purposes.

The authors shall not in any case be liable for special, incidental,
consequential, indirect or other similar damages arising from the use
of this software.

If in any doubt do not use it.

---++ Gory Details

---+++ Javascript

The values of all Javascript on* handlers (such as =onload=, =onmouseover=, =onblur=
etc) are automatically compared against a list of filter-in regular
expressions, one of which must match, or the handler will be replaced
by disarming string.

By default only simple function calls with atomic parameters are
permitted in on* handlers. For example:
=javascript: fn(param1, "param2")= is permitted,
but =javascript: alert(window.open("http://evilsite.cn"))= is not.

Inline scripts (SCRIPT tags without a =src= parameter) are always
filtered out (removed). URIs used in certain parameters are compared
against a whitelist of filter-in regular expressions, one of which must match
or the URI will be replaced with a disarming string.

---+++ URIs

By default the following URI parameters are checked against the
whitelist:

| *Tag* | *Parameter* |
| APPLET | archive, code, codebase |
| EMBED | src, pluginspace, pluginurl |
| OBJECT | archive, codebase |
| SCRIPT | src |

You can also enable filtering for *all* URIs, in which case URIs
such as those used in the =action= attribute of =FORM= tags will also be
filtered.

The filter-in regular expressions and the disarming strings are all
defined using the =configure= interface. See the setup for !SafeWikiPlugin
for more help.

---++ Notes for extensions (Plugins etc) authors

As mentioned above, there is a risk that use of !SafeWikiPlugin might
prevent your extension from working. If that is the case, it will usually
be because you have tried to embed something in the HTML that the
!SafeWikiPlugin regards as "naughty" - for example, inline script,
complex expressions in handlers etc.

The way to overcome this is to recode your plugin so that all script tags
are generated in the HEAD section (using TWiki::Func::addToHEAD). Handlers
can still be used, but they cannot be any more complex than a simple call
to a function.
 
---++ Installation Instructions

You do not need to install anything in the browser to use this extension. The following instructions are for the administrator who installs the extension on the server where TWiki is running.

Like many other TWiki extensions, this module is shipped with a fully
automatic installer script written using the Build<nop>Contrib.
   * If you have TWiki 4.2 or later, you can install from the =configure= interface (Go to Plugins->Find More Extensions)
      * See the [[http://twiki.org/cgi-bin/view/Plugins/BuildContribInstallationSupplement][installation supplement]] on TWiki.org for more information.
   * If you have any problems, then you can still install manually from the command-line:
      1 Download one of the =.zip= or =.tgz= archives
      1 Unpack the archive in the root directory of your TWiki installation.
      1 Run the installer script ( =perl &lt;module&gt;_installer= )
      1 Run =configure= and enable the module, if it is a plugin.
      1 Repeat for any missing dependencies.
   * If you are *still* having problems, then instead of running the installer script:
      1 Make sure that the file permissions allow the webserver user to access all files.
      1 Check in any installed files that have existing =,v= files in your existing install (take care *not* to lock the files when you check in)
      1 Manually edit !LocalSite.cfg to set any configuration variables.

%IF{"defined 'SYSTEMWEB'" else="<div class='twikiAlert'>%X% WARNING: SYSTEMWEB is not defined in this TWiki. Please add these definitions to your %MAINWEB%.TWikiPreferences, if they are not already there:<br><pre>   * <nop>Set SYSTEMWEB = %<nop>TWIKIWEB%<br>   * <nop>Set USERSWEB = %<nop>MAINWEB%</pre></div>"}%


No further steps are required to install on TWiki 4.2 and later. _To install on TWiki 4 versions before 4.2.0_, you will have to patch TWiki.pm as follows:

   1 Edit lib/TWiki.pm
   1 Locate the 'writeCompletePage' function
   1 Immediately before the line that reads:
<verbatim>
    unless( $this->inContext('command_line')) {
</verbatim>
add these lines:
<verbatim>
   require TWiki::Plugins::SafeWikiPlugin;
   TWiki::Plugins::SafeWikiPlugin::completePageHandler($text, $contentType);
</verbatim>
If your version of TWiki doesn't support plugin configuration from the =configure= interface, you will have to paste the contents of =lib/TWiki/Plugins/SafeWikiPlugin/Config.spec= into the end of =lib/LocalSite.cfg= and edit the configuration manually.

All plugin configuration is done through =configure=.

---++ Plugin Info

|  Plugin Author: | Crawford Currie wikiring.com from an original idea by Sven Dowideit wikiring.com |
|  Copyright: | &copy; 2007-2008 C-Dot Consultants http://c-dot.co.uk; <br /> &copy; 2008-2010, TWiki:TWiki/TWikiContributor |
|  License: | [[http://www.gnu.org/licenses/gpl.html][GPL (Gnu General Public License)]] |
|  Plugin Version: | 18818 (2010-05-26) |
|  2010-05-26: | TWikibug:Item6433 - doc improvements; replacing TWIKIWEB with SYSTEMWEB |
|  2008-08-06: | Plugin configuration is done through configure |
|  2008-01-30: | Initial version |
|  Change History: | <!-- versions below in reverse order -->&nbsp; |
|  Dependencies: | <table border="1"><tr><th>Name</th><th>Version</th><th>Description</th></tr><tr><td align="left">HTML::Parser</td><td align="left">&gt;=0</td><td align="left">Required</td></tr></table> |
|  Plugin Home: | http://twiki.org/cgi-bin/view/Plugins/SafeWikiPlugin |
|  Feedback: | http://twiki.org/cgi-bin/view/Plugins/SafeWikiPluginDev |
|  Appraisal: | http://twiki.org/cgi-bin/view/Plugins/SafeWikiPluginAppraisal |

__Related Topics:__ %SYSTEMWEB%.TWikiPlugins, %SYSTEMWEB%.DeveloperDocumentationCategory, %SYSTEMWEB%.AdminDocumentationCategory, %SYSTEMWEB%.TWikiPreferences
