moinwiki
Handling of URI schemes outside the "allowed" URI_SCHEMES
The input converters differ in their handling of URI references
with a scheme that is not in the set of "allowed URI schemes"
moin.constants.misc.URI_SCHEMES.
-
The wiki markups (creole, mediawiki, moinwiki) treat schemes outside of the set as part of a page name, so
javascript:alert('xss')becomeswiki.local:javascript:alert%28'xss'%29. -
Markdown happily links to all given URIs - including silly and dangerous ones like
javascript:ornew item: orange. -
HTML and DocBook turn links to URIs with "unregistered" schemes into simple text. (via
converters._util.allowed_uri_scheme()). This prevents dangerous links – but also legitimate use of wiki item names containing a colon. -
rST displays a box with a "stop-x" icon and the link text but no explanation, URL or offending scheme.
I plan to improve the rST handling, but wonder whether I should
a) treat unknown schemes as part of an item name (as in wiki markup) or
b) display a proper error message (with reason for failure, error location, full offending URI).
- The first alternative is simpler to implement, consistent with current handling in wiki markup converters and preferable if there is a wiki item with a name containing a colon.
- The second alternative is more explicit and verbose. Links to a local wiki item with a colon in the name would have to be prepended with the "wiki.local" scheme.
Adding "wiki.local" to the supported schemes in moin.constants.misc.URI_SCHEMES would also help with links to pages with colon in the name in HTML and DocBook markup.
@RogerHaase
Some formats prevent links to non-registered URI schemes while
Markdown happily links to all given URIs - including silly and dangerous ones like javascript:.
Should this be considered a security issue?
If yes, how could I add a "security" tag to the issue?
@gmilde Given your analysis above, I defer to you as to the best approach.
Maybe @ThomasWaldmann or @UlrichB22 have a preference.
I don't have a clear preference.
Adding “wiki.local” to moin.constants.misc.URI_SCHEMES is fine if it helps. If you change URI_SCHEMES, it would be nice to have a comment explaining the meaning of this constant, as it is not self-explanatory to me.
In general, handling should be consistent across all converters and as simple as possible :smirk:
Besides the PR I also created a test page:
= URI scheme whitelist =
Moin implements a whitelist of approved URI schemes.
The implementation is inconsistent, though:
* Link to local item
Moin Wiki: [[javascript:alert%28'hi'%29|click here]]
{{{#!creole
Creole: [[javascript:alert%28'hi'%29|click here]]
}}}
* Rudimentary error box (no message, URI hidden)
{{{#!rst
reStructuredText: `click here <javascript:alert('hi')>`__
A good error message looks, for :example:`, so`:
}}}
* Render as text
{{{#!mediawiki
Mediawiki: [javascript:alert%28'hi'%29 click here]
}}}
* Render URI as text (hide link text)
{{{#!html
<html>
<p>
HTML: <a href="javascript:alert%28'hi'%29">click here</a>
</p>
</html>
}}}
* Link to any URI
{{{#!markdown
Markdown: [click here] [id] or [here](javascript:alert%28'hi'%29)
[id]: javascript:alert('hi')
}}}
{{{#!docbook
<article xmlns='http://docbook.org/ns/docbook' xmlns:xlink='http://www.w3.org/1999/xlink'>
<para>
DokBook: <link xlink:href="javascript:alert%28'hi'%29">click here</link>
</para>
</article>
}}}
Please try in a local wiki and give feedback regarding the preferred handling.