On Saturday, October 29, 2016, Daniel Friesen <[email protected]> wrote: > On 2016-10-29 8:40 AM, Brian Wolff wrote: >> On Sat, Oct 29, 2016 at 2:50 PM, Dr. Michael Bonert >> <[email protected]> wrote: >>> Hello, >>> >>> I was wondering about the security of Widgets ( >>> https://www.mediawiki.org/wiki/Extension:Widgets ) that get parameters >>> passed to them. Any thoughts? >>> >>> Are the parameters passed through to the widget cleansed of html/scripts? >>> If it isn't -- is it possible to easily enforce typing/boundaries on the >>> parameters? > There is no way to abstractly ensure scripts are cleaned from text. If > you know exactly where it is going you may be able to escape everything. > But you cannot target scripting explicitly and expect to clean it up, as > there are numerous tricks that can be used to bypass anything but the > strictest of escaping: > https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet > >>> Create page: Widget:OpenSeadragon >>> --------------------------------------------------------------------- >>> <noinclude>__NOTOC__ >>> <!-- Copyright (c) 2016 Michael Bonert --> >>> <!-- Released under GNU General Public Licence - Version 3; see >>> http://www.gnu.org/licenses/gpl.html --> >>> To insert this widget, use the following code: >>> >>> <nowiki>{{#widget:</nowiki>{{PAGENAME}}<nowiki> >>> |image=12881.dzi >>> |width=800 >>> |height=600 >>> }}</nowiki> >>> >>> >>> </noinclude> >>> <includeonly><!-- This inserts an OpenSeadragon image --> >>> <div id="openseadragon1" style="width: >>> <!--{$width|default:400|escape:'html'}-->px; height: >>> <!--{$height|default:300|escape:'html'}-->px;"></div> >>> <script src="../../openseadragon/openseadragon.min.js"></script> >>> <script type="text/javascript"> >>> var viewer = OpenSeadragon({ >>> id: "openseadragon1", >>> prefixUrl: "../../openseadragon/images/", >>> tileSources: "../../vslide/<!--{$image|escape:'urlpathinfo'}-->" >>> }); >>> </script> >>> </includeonly> >>> ------------------------------------------------- >>> >> In theory that's what the escape modifier is for in smarty parameters. >> >> However, in this example, <!--{$width|default:400|escape:'html'}-->px; >> inside a style attribute isn't really sufficient, as a user could set >> a width parameter like "400; behavior: url( >> 'https://foo.com/bar.htc#baz' );x: ", which would cause javascript >> execution on IE9 and older. (There are other properties for other >> browsers, however mostly affecting only older browsers). You could >> also leak private info about your users by doing something like >> background-image: url( "http://external.com/foo.png"; ) . >> >> [Disclaimer: I have not read the source code of the widgets extension, >> so there could also potentially be generic security issues with the >> extension. Since I haven't reviewed it, I don't really know]. >> >> -- >> bawolff > And then there is $image. urlpathinfo doesn't escape quotes, > backslashes, or </script>. > >
Its hard to find docs on what urlpathinfo actually does (talk about a red flag for a security mechanism...) but i thought it was basically rawurlencode, which i think escapes all the relavent characters in this context as percent encoding. -- Bawolff _______________________________________________ MediaWiki-l mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
![http://external.com/foo.png"](http://external.com/foo.png"){kind=link}