Neil Harris wrote:
Daniel Kinzler wrote:
David Gerard schrieb:
2009/6/4 Gregory Maxwell gmaxwell@gmail.com:
Restrict site-wide JS and raw HTML injection to a smaller subset of users who have been specifically schooled in these issues.
Is it feasible to allow admins to use raw HTML as appropriate but not raw JS? Being able to fix MediaWiki: space messages with raw HTML is way too useful on the occasions where it's useful.
Possible yes, sensible no. Because if you can edit raw html, you can inject javascript.
-- daniel
Not if you sanitize the HTML after the fact: just cleaning out <script> tags and elements from the HTML stream should do the job.
After this has been done to the user-generated content, the desired locked-down script code can then be inserted at the final stages of page generation.
-- Neil
Come to think of it, you could also allow the carefully vetted loading of scripts from a very limited whitelist of Wikimedia-hosted and controlled domains and paths, when performing that sanitization.
Inline scripts remain a bad idea: there are just too many ways to obfuscate them and/or inject data into them to have any practical prospect of limiting them to safe features without heroic efforts.
However; writing a javascript sanitizer that restricted the user to a "safe" subset of the language, by first parsing and then resynthesizing the code using formal methods for validation, in a way similar to the current solution for TeX, would be an interesting project!
-- Neil