New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"The html tag check can be bypassed by obfuscating the html tag, leading to a false sense of security" #5
Comments
I think I've fixed the issue. The page is parsed again before getting saved and if an HTML tag is detected by the Parser an error is triggered. |
There are still ways to bypass it. For example: I don't think its possible in principle to detect all possibilities in this manner. I think it is equivalent to the halting problem. If you really want to do something like this, maybe the way to do it is during PST (i.e. ParserPreSaveTransformComplete hook), look for tags with a regex, capture the text inside the tag, calculate Still a bit sketchy. I'd worry about cases where PST is not stable (probably fixable by running PST twice and making sure the result is the same). But i think its more likely to be able to be made secure if running during PST instead of main parsing. |
Seems to me like the hash technique this could easily be bypassed. Unless I'm not understanding it correctly. Right now, the code works to prevent pages containing the How about preventing a page from being parsed at display time if:
Preventing such a page from even getting displayed could act as a last resort mesure to ensure the safety of the code (when all else has failed). |
Per https://www.mediawiki.org/w/index.php?title=Extension:SaferHTMLTag&diff=prev&oldid=5789945
The text was updated successfully, but these errors were encountered: