From: Philip J. H. <ph...@po...> - 2004-10-11 14:22:42
|
On 10/11/04, Reini Urban wrote: > Philip J. Hollenback schrieb: > >phpwiki nightly cvs 10/7/2004, crao theme, mysql backend. > > No bug, a useful feature. > RawHtml has been enhanced lately to skip insecure HTML automatically. > You have to configure that away to be able to run such security riscs. > > /** We defined a better policy when to allow RawHtml: > * ENABLE_RAW_HTML_LOCKEDONLY: > * - Allowed if page is locked by ADMIN_USER. > * ENABLE_RAW_HTML_SAFE: > * - Allow some sort of "safe" html tags and attributes. > * Unsafe attributes are automatically stripped. (Experimental!) > * See http://phpwiki.sourceforge.net/phpwiki/allowing%20safe%20HTML > */ > > default is this: (from the source) > if (!defined('ENABLE_RAW_HTML')) > define('ENABLE_RAW_HTML', true); > // must be locked > if (!defined('ENABLE_RAW_HTML_LOCKEDONLY')) > define('ENABLE_RAW_HTML_LOCKEDONLY', true); > // sanitize to safe html code > if (!defined('ENABLE_RAW_HTML_SAFE')) > define('ENABLE_RAW_HTML_SAFE', true); > > >Can anyone tell me why this doesn't work: > > Always see the source first if you don't understand anything new. Ok, I see. I did look at those settings in config.ini, but I did not understand the interaction between them. I guess I thought that if ENABLE_RAW_HTML_LOCKEDONLY was set, then any html was allowed, and maybe that ENABLE_RAW_HTML_SAFE applied when ENABLE_RAW_HTML_LOCKEDONLY was unset. So if I have ENABLE_RAW_HTML_LOCKEDONLY set, is it safe to turn off ENABLE_RAW_HTML_SAFE because only the administrator has the ability to lock pages? Or is that still a security risk? Wouldn't it be good if RawHtml printed a warning about disabling the unsafe html instead of silently ignoring it? Thanks, P. -- Philip J. Hollenback ph...@po... http://www.hollenback.net |