X-Git-Url: https://sipb.mit.edu/gitweb.cgi/ikiwiki.git/blobdiff_plain/1bdad3513c40f60f75248dd7ac1ed7638ed1ed2a..93f970ea2f8018f778246b689b980360aea158fe:/doc/todo/__42__forward__42__ing_functionality_for_the_meta_plugin.mdwn diff --git a/doc/todo/__42__forward__42__ing_functionality_for_the_meta_plugin.mdwn b/doc/todo/__42__forward__42__ing_functionality_for_the_meta_plugin.mdwn index 30f9f7d0a..c3c2b82f3 100644 --- a/doc/todo/__42__forward__42__ing_functionality_for_the_meta_plugin.mdwn +++ b/doc/todo/__42__forward__42__ing_functionality_for_the_meta_plugin.mdwn @@ -28,9 +28,11 @@ I can also submit a Git patch, if desired. It might be doable to add references to pages that refer to the page containg the forwarding statement also to the referred-to page. - --[[tschwinge]] + +# Discussion + > The html scrubber cannot scrub meta headers. So if you emit one > containing user-supplied data, it's up to you to scrub it to avoid all > possible XSS attacks. Two attacks I'd worry about are cyclic meta refresh @@ -46,3 +48,21 @@ the forwarding statement also to the referred-to page. >> What is a *cyclic meta refresh loop*? Two pages in turn forwarding to each other? >> I think it would be possible to implement such a guard when only in-wiki links >> ([[wikilink]]s) are being used, but how to do so for external links? --[[tschwinge]] + +>>> This seems a lot more securely to do for in-wiki links, since we know +>>> that a link generated by a wikilink is safe, and can avoid cycles. +>>> Obviously there's no way to avoid cycles when using external links. +>>> +>>> An example of code that doesn't detect such cycles is LWP::UserAgent, +>>> which will happily follow cycles forever. There's a LWPx::ParanoidAgent +>>> that can deal with cycles. I suppose this could be considered a client +>>> side issue, except that if I were going to turn this redirect feature +>>> on in my wikis, I'd really prefer to not have to worry about my wiki +>>> causing such problems for clients. I feel it makes sense to make +>>> external redirects or other potentially unsafe things an option, +>>> and have the default behavior be only things that are known to be +>>> secure. +>>> +>>> I haven't checked if there's a way to embed javascript in meta refresh +>>> links or not. Given all the other places I've seen it be embedded, I'll +>>> assume it is possible until it's shown not to be though.. --[[Joey]]