Menu
▾
▴
[TWiki-Dev] [SVN] PeterThoeny r17840 - twiki/branches/TWikiRelease04x02/data/TWiki
|
From: <de...@de...> - 2009-02-23 07:05:21
|
Author: PeterThoeny Date: 2009-02-23 01:05:17 -0600 (Mon, 23 Feb 2009) New Revision: 17840 Trac url: http://develop.twiki.org/trac/changeset/17840 Modified: twiki/branches/TWikiRelease04x02/data/TWiki/VarENCODE.txt twiki/branches/TWikiRelease04x02/data/TWiki/VarURLPARAM.txt Log: Item6186: Docs for adding safe mode to ENCODE and URLPARAM variables (unit tests pending) Modified: twiki/branches/TWikiRelease04x02/data/TWiki/VarENCODE.txt =================================================================== --- twiki/branches/TWikiRelease04x02/data/TWiki/VarENCODE.txt 2009-02-23 06:04:11 UTC (rev 17839) +++ twiki/branches/TWikiRelease04x02/data/TWiki/VarENCODE.txt 2009-02-23 07:05:17 UTC (rev 17840) @@ -1,4 +1,4 @@ -%META:TOPICINFO{author="TWikiContributor" date="1167874036" format="1.1" version="$Rev$"}% +%META:TOPICINFO{author="TWikiContributor" date="1235369572" format="1.1" version="$Rev$"}% %META:TOPICPARENT{name="TWikiVariables"}% #VarENCODE ---+++ ENCODE{"string"} -- encodes a string to HTML entities @@ -10,13 +10,15 @@ * Supported parameters: | *Parameter:* | *Description:* | *Default:* | | ="string"= | String to encode | required (can be empty) | + | =type="safe"= | Encode special characters into HTML entities to avoid XSS exploits: ="<"=, =">"=, ="%"=, single quote (='=) and double quote (="=) | =type="url"= | | =type="entity"= | Encode special characters into HTML entities, like a double quote into =&#034;=. Does *not* encode =\n= or =\r=. | =type="url"= | | =type="html"= | As =type="entity"= except it also encodes =\n= and =\r= | =type="url"= | | =type="quotes"= | Escape double quotes with backslashes (=\"=), does not change other characters | =type="url"= | | =type="url"= | Encode special characters for URL parameter use, like a double quote into =%22= | (this is the default) | * Example: =%<nop>ENCODE{"spaced name"}%= expands to =%ENCODE{"spaced name"}%= - * __%X% Note:__ Values of HTML input fields must be entity encoded.%BR% Example: =<input type="text" name="address" value="%<nop>ENCODE{ "any text" type="entity" }%" />= - * __%X% Note:__ Double quotes in strings must be escaped when passed into other TWiki variables.%BR% Example: =%<nop>SEARCH{ "%<nop>ENCODE{ "string with "quotes"" type="quotes" }%" noheader="on" }%= + * __%X% Notes:__ + * Values of HTML input fields must be entity encoded.%BR% Example: =<input type="text" name="address" value="%<nop>ENCODE{ "any text" type="entity" }%" />= + * Double quotes in strings must be escaped when passed into other TWiki variables.%BR% Example: =%<nop>SEARCH{ "%<nop>ENCODE{ "string with "quotes"" type="quotes" }%" noheader="on" }%= + * Use =type="entity"= or =type="safe"= to protect user input from URL parameters and external sources against cross-site scripting (XSS). =type="entity"= is more aggressive, but some TWiki applications might not work. =type="safe"= provides a safe middle ground. * Related: [[%IF{"'%INCLUDINGTOPIC%'='TWikiVariables'" then="#"}%VarURLPARAM][URLPARAM]] - Modified: twiki/branches/TWikiRelease04x02/data/TWiki/VarURLPARAM.txt =================================================================== --- twiki/branches/TWikiRelease04x02/data/TWiki/VarURLPARAM.txt 2009-02-23 06:04:11 UTC (rev 17839) +++ twiki/branches/TWikiRelease04x02/data/TWiki/VarURLPARAM.txt 2009-02-23 07:05:17 UTC (rev 17840) @@ -1,4 +1,4 @@ -%META:TOPICINFO{author="TWikiContributor" date="1228163901" format="1.1" version="$Rev$"}% +%META:TOPICINFO{author="TWikiContributor" date="1235369572" format="1.1" version="$Rev$"}% %META:TOPICPARENT{name="TWikiVariables"}% #VarURLPARAM ---+++ URLPARAM{"name"} -- get value of a URL parameter @@ -9,15 +9,17 @@ | ="name"= | The name of a URL parameter | required | | =default="..."= | Default value in case parameter is empty or missing | empty string | | =newline="<br />"= | Convert newlines in textarea to other delimiters | no conversion | - | =encode="entity"= | Encode special characters into HTML entities. See [[%IF{"'%INCLUDINGTOPIC%'='TWikiVariables'" then="#"}%VarENCODE][ENCODE]] for more details. | no encoding | - | =encode="url"= | Encode special characters for URL parameter use, like a double quote into =%22= | no encoding | - | =encode="quote"= | Escape double quotes with backslashes (=\"=), does not change other characters; required when feeding URL parameters into other TWiki variables | no encoding | + | =encode="off"= | Turn off encoding. See important security note below | encode="safe" | + | =encode="safe"= | Encode special characters into HTML entities to avoid XSS exploits: ="<"=, =">"=, ="%"=, single quote (='=) and double quote (="=) | (this is the default) | + | =encode="entity"= | Encode special characters into HTML entities. See [[%IF{"'%INCLUDINGTOPIC%'='TWikiVariables'" then="#"}%VarENCODE][ENCODE]] for more details. | encode="safe" | + | =encode="url"= | Encode special characters for URL parameter use, like a double quote into =%22= | encode="safe" | + | =encode="quote"= | Escape double quotes with backslashes (=\"=), does not change other characters; required when feeding URL parameters into other TWiki variables | encode="safe" | | =multiple="on"= %BR% =multiple="[<nop>[$item]]"= | If set, gets all selected elements of a =<select multiple="multiple">= tag. A format can be specified, with =$item= indicating the element, e.g. =multiple="Option: $item"= | first element | | =separator=", "= | Separator between multiple selections. Only relevant if multiple is specified | ="\n"= (new line) | * Example: =%<nop>URLPARAM{"skin"}%= returns =print= for a =.../view/%WEB%/%INCLUDINGTOPIC%?skin=print= URL * __%X% Notes:__ - * *IMPORTANT:* There is a risk that this variable could be misused for [[http://en.wikipedia.org/wiki/Cross-site_scripting][cross-site scripting]] (XSS). - * URL parameters passed into HTML form fields __must be__ entity [[%IF{"'%INCLUDINGTOPIC%'='TWikiVariables'" then="#"}%VarENCODE][ENCODEd]].%BR% Example: =<input type="text" name="address" value="%<nop>URLPARAM{ "address" encode="entity" }%" />= + * *IMPORTANT:* There is a risk that this variable can be misused for [[http://en.wikipedia.org/wiki/Cross-site_scripting][cross-site scripting]] (XSS) if the encoding is turned off. The =encode="safe"= is the default, it provides a safe middle ground. The =encode="entity"= is more aggressive, but some TWiki applications might not work. + * URL parameters passed into HTML form fields must be entity [[%IF{"'%INCLUDINGTOPIC%'='TWikiVariables'" then="#"}%VarENCODE][ENCODEd]].%BR% Example: =<input type="text" name="address" value="%<nop>URLPARAM{ "address" encode="entity" }%" />= * Double quotes in URL parameters must be escaped when passed into other TWiki variables.%BR% Example: =%<nop>SEARCH{ "%<nop>URLPARAM{ "search" encode="quotes" }%" noheader="on" }%= * When used in a template topic, this variable will be expanded when the template is used to create a new topic. See TWikiTemplates#TemplateTopicsVars for details. * Watch out for TWiki internal parameters, such as =rev=, =skin=, =template=, =topic=, =web=; they have a special meaning in TWiki. Common parameters and view script specific parameters are documented at TWikiScripts. |
