From e4e419e7d9f3f049fc9f7fa4bd1731addad5bfb8 Mon Sep 17 00:00:00 2001 From: Gunnstein Lye <289744+glye@users.noreply.github.com> Date: Mon, 16 Jun 2025 10:29:54 +0200 Subject: [PATCH 1/7] Warn about code block access --- .../security/security_checklist.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/infrastructure_and_maintenance/security/security_checklist.md b/docs/infrastructure_and_maintenance/security/security_checklist.md index 0482dd15b9..370d869e92 100644 --- a/docs/infrastructure_and_maintenance/security/security_checklist.md +++ b/docs/infrastructure_and_maintenance/security/security_checklist.md @@ -144,6 +144,12 @@ Reduce your attack surface by exposing only what you must. - { path: ^/search, roles: ROLE_USER} ``` +### Limit access to code blocks + +The Code Block in Page Builder is designed to accept any HTML, which includes embedded JavaScript. This means that XSS is necessarily possible for editors that have access to Code Blocks. As site administrator you should be aware of this when giving editors access to the Page Builder features, and limit that access only to highly trusted editors. It is possible to +[limit access to specific blocks per content type](https://doc.ibexa.co/projects/userguide/en/4.6/content_management/configure_ct_field_settings/#default-configuration-of-pages), +where you can define which page blocks are available to an editor. + ## Symfony ### `APP_SECRET` and other secrets From 5abd874674734d4c977f3cd33867c968b107bda8 Mon Sep 17 00:00:00 2001 From: Adrien Dupuis <61695653+adriendupuis@users.noreply.github.com> Date: Mon, 16 Jun 2025 16:37:05 +0200 Subject: [PATCH 2/7] Update docs/infrastructure_and_maintenance/security/security_checklist.md --- .../security/security_checklist.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/infrastructure_and_maintenance/security/security_checklist.md b/docs/infrastructure_and_maintenance/security/security_checklist.md index 370d869e92..4c24da2102 100644 --- a/docs/infrastructure_and_maintenance/security/security_checklist.md +++ b/docs/infrastructure_and_maintenance/security/security_checklist.md @@ -147,7 +147,7 @@ Reduce your attack surface by exposing only what you must. ### Limit access to code blocks The Code Block in Page Builder is designed to accept any HTML, which includes embedded JavaScript. This means that XSS is necessarily possible for editors that have access to Code Blocks. As site administrator you should be aware of this when giving editors access to the Page Builder features, and limit that access only to highly trusted editors. It is possible to -[limit access to specific blocks per content type](https://doc.ibexa.co/projects/userguide/en/4.6/content_management/configure_ct_field_settings/#default-configuration-of-pages), +[limit access to specific blocks per content type]([[= user_doc =]]/content_management/configure_ct_field_settings/#default-configuration-of-pages), where you can define which page blocks are available to an editor. ## Symfony From 9470f5ed0a3d13b22bdae219956f8cf428e0a0a7 Mon Sep 17 00:00:00 2001 From: Adrien Dupuis <61695653+adriendupuis@users.noreply.github.com> Date: Mon, 16 Jun 2025 16:53:28 +0200 Subject: [PATCH 3/7] Update docs/infrastructure_and_maintenance/security/security_checklist.md --- .../security/security_checklist.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/infrastructure_and_maintenance/security/security_checklist.md b/docs/infrastructure_and_maintenance/security/security_checklist.md index 4c24da2102..344f28bf9c 100644 --- a/docs/infrastructure_and_maintenance/security/security_checklist.md +++ b/docs/infrastructure_and_maintenance/security/security_checklist.md @@ -146,7 +146,8 @@ Reduce your attack surface by exposing only what you must. ### Limit access to code blocks -The Code Block in Page Builder is designed to accept any HTML, which includes embedded JavaScript. This means that XSS is necessarily possible for editors that have access to Code Blocks. As site administrator you should be aware of this when giving editors access to the Page Builder features, and limit that access only to highly trusted editors. It is possible to +The [Code block]([[= user_doc =]]/content_management/block_reference/#code-block) in Page Builder is designed to accept any HTML, which includes embedded JavaScript. +This means that malicious JS including cross site scripting (XSS) is necessarily possible for editors that have access to Code blocks. As site administrator you should be aware of this when giving editors access to the Page Builder features, and limit that access only to highly trusted editors. It is possible to [limit access to specific blocks per content type]([[= user_doc =]]/content_management/configure_ct_field_settings/#default-configuration-of-pages), where you can define which page blocks are available to an editor. From 2ddc3865f06b3688888d65513581b6bc39570ec7 Mon Sep 17 00:00:00 2001 From: Adrien Dupuis <61695653+adriendupuis@users.noreply.github.com> Date: Mon, 16 Jun 2025 17:03:55 +0200 Subject: [PATCH 4/7] Update docs/infrastructure_and_maintenance/security/security_checklist.md --- .../security/security_checklist.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/infrastructure_and_maintenance/security/security_checklist.md b/docs/infrastructure_and_maintenance/security/security_checklist.md index 344f28bf9c..83cbb96947 100644 --- a/docs/infrastructure_and_maintenance/security/security_checklist.md +++ b/docs/infrastructure_and_maintenance/security/security_checklist.md @@ -144,7 +144,7 @@ Reduce your attack surface by exposing only what you must. - { path: ^/search, roles: ROLE_USER} ``` -### Limit access to code blocks +### Limit access to Code blocks The [Code block]([[= user_doc =]]/content_management/block_reference/#code-block) in Page Builder is designed to accept any HTML, which includes embedded JavaScript. This means that malicious JS including cross site scripting (XSS) is necessarily possible for editors that have access to Code blocks. As site administrator you should be aware of this when giving editors access to the Page Builder features, and limit that access only to highly trusted editors. It is possible to From f8c47b50fea0e5a98d6377edf8b1549fa58aca54 Mon Sep 17 00:00:00 2001 From: Adrien Dupuis <61695653+adriendupuis@users.noreply.github.com> Date: Mon, 16 Jun 2025 17:04:51 +0200 Subject: [PATCH 5/7] Update docs/infrastructure_and_maintenance/security/security_checklist.md --- .../security/security_checklist.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/infrastructure_and_maintenance/security/security_checklist.md b/docs/infrastructure_and_maintenance/security/security_checklist.md index 83cbb96947..2e095576f6 100644 --- a/docs/infrastructure_and_maintenance/security/security_checklist.md +++ b/docs/infrastructure_and_maintenance/security/security_checklist.md @@ -147,7 +147,7 @@ Reduce your attack surface by exposing only what you must. ### Limit access to Code blocks The [Code block]([[= user_doc =]]/content_management/block_reference/#code-block) in Page Builder is designed to accept any HTML, which includes embedded JavaScript. -This means that malicious JS including cross site scripting (XSS) is necessarily possible for editors that have access to Code blocks. As site administrator you should be aware of this when giving editors access to the Page Builder features, and limit that access only to highly trusted editors. It is possible to +This means that malicious JS including [cross site scripting (XSS)](https://en.wikipedia.org/wiki/Cross-site_scripting) is necessarily possible for editors that have access to Code blocks. As site administrator you should be aware of this when giving editors access to the Page Builder features, and limit that access only to highly trusted editors. It is possible to [limit access to specific blocks per content type]([[= user_doc =]]/content_management/configure_ct_field_settings/#default-configuration-of-pages), where you can define which page blocks are available to an editor. From 488279c847c6358669c0390784e0178c1be130f8 Mon Sep 17 00:00:00 2001 From: Adrien Dupuis <61695653+adriendupuis@users.noreply.github.com> Date: Mon, 16 Jun 2025 17:06:15 +0200 Subject: [PATCH 6/7] Update docs/infrastructure_and_maintenance/security/security_checklist.md --- .../security/security_checklist.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/infrastructure_and_maintenance/security/security_checklist.md b/docs/infrastructure_and_maintenance/security/security_checklist.md index 2e095576f6..c9258daa65 100644 --- a/docs/infrastructure_and_maintenance/security/security_checklist.md +++ b/docs/infrastructure_and_maintenance/security/security_checklist.md @@ -147,9 +147,9 @@ Reduce your attack surface by exposing only what you must. ### Limit access to Code blocks The [Code block]([[= user_doc =]]/content_management/block_reference/#code-block) in Page Builder is designed to accept any HTML, which includes embedded JavaScript. -This means that malicious JS including [cross site scripting (XSS)](https://en.wikipedia.org/wiki/Cross-site_scripting) is necessarily possible for editors that have access to Code blocks. As site administrator you should be aware of this when giving editors access to the Page Builder features, and limit that access only to highly trusted editors. It is possible to -[limit access to specific blocks per content type]([[= user_doc =]]/content_management/configure_ct_field_settings/#default-configuration-of-pages), -where you can define which page blocks are available to an editor. +This means that malicious JS including [cross site scripting (XSS)](https://en.wikipedia.org/wiki/Cross-site_scripting) is necessarily possible for editors that have access to Code blocks. +As site administrator you should be aware of this when giving editors access to the Page Builder features, and limit that access only to highly trusted editors. +It is possible to [limit access to specific blocks per content type]([[= user_doc =]]/content_management/configure_ct_field_settings/#default-configuration-of-pages), where you can define which page blocks are available to an editor. ## Symfony From dc274068a8359e12431af4634c702baa1563c96a Mon Sep 17 00:00:00 2001 From: Adrien Dupuis <61695653+adriendupuis@users.noreply.github.com> Date: Tue, 17 Jun 2025 10:01:04 +0200 Subject: [PATCH 7/7] Apply suggestions from code review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Tomasz DÄ…browski <64841871+dabrt@users.noreply.github.com> --- .../security/security_checklist.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/infrastructure_and_maintenance/security/security_checklist.md b/docs/infrastructure_and_maintenance/security/security_checklist.md index c9258daa65..d153ede4e4 100644 --- a/docs/infrastructure_and_maintenance/security/security_checklist.md +++ b/docs/infrastructure_and_maintenance/security/security_checklist.md @@ -147,9 +147,9 @@ Reduce your attack surface by exposing only what you must. ### Limit access to Code blocks The [Code block]([[= user_doc =]]/content_management/block_reference/#code-block) in Page Builder is designed to accept any HTML, which includes embedded JavaScript. -This means that malicious JS including [cross site scripting (XSS)](https://en.wikipedia.org/wiki/Cross-site_scripting) is necessarily possible for editors that have access to Code blocks. -As site administrator you should be aware of this when giving editors access to the Page Builder features, and limit that access only to highly trusted editors. -It is possible to [limit access to specific blocks per content type]([[= user_doc =]]/content_management/configure_ct_field_settings/#default-configuration-of-pages), where you can define which page blocks are available to an editor. +This means that editors who have access to Code blocks could add malicious JS including [cross site scripting (XSS)](https://en.wikipedia.org/wiki/Cross-site_scripting). +As site administrator, be aware of this when giving editors access to the Page Builder features, and limit that access only to trusted editors. +You can [limit access to specific blocks per content type]([[= user_doc =]]/content_management/configure_ct_field_settings/#default-configuration-of-pages) by defining which page blocks are available to editors. ## Symfony