Feature Proposal: Safer URLPARAM as default
Motivation
Prevent one more XSS attack point
Description and Documentation
Current URLPARAM is by default a direct cross site scripting attach point. The proposal is to add an additional light entity encode feature and make this default.
To enable users to make the old unsafe applications or have the old ones work also provide the option to switch this off.
Making the entity encoding default is not acceptable as it breaks too many normal applications.
Putting encode="entity" in distribution documents does not address all the topics people have created themselves and the 100s of plugin topics. This is a poor solution.
The proposal is to extend URLPARAM and change its defaults.
- Today we have values: "url", "entity", "quote" and if you do not define encode, no encoding happens
- Add two new values for the encode option for URLPARAM.
- Add value "safe" which causes a light entity encoding of ' " % > < and make this the default
- Add value "off" with synonym "none" which turns off encoding for the rare cases where a user can only implement an application using the unsafe URLPARAM.
Since this change is "not fully backwards compatible" it may be relevant to additionally add a configure option to turn off the default encoding. However we should try to avoid this if it is feasible.
Examples
- %URLPARAM{"myvar" encode="safe"}% is equivalent to %URLPARAM{"myvar"}%
- %URLPARAM{"myvar" encode="off"}% is equivalent to the old %URLPARAM{"myvar"}%
Impact
Implementation
I have the code ready to check in Wednesday the 3rd. I will check it in right away and ask people to assess the impact.
It is too difficult to really assess this without trying it in practical with real applications.
I am naturally prepared to revert the checkin.
Note that this does not stand in the way for also adding
SafeWikiPlugin to our distribution. We should not discuss one OR the other.
--
Contributors: KennethLavrsen - 03 Dec 2008
Discussion
Accepted by 14-day rule.
--
KennethLavrsen - 17 Dec 2008 - 00:38