Raw HTML
Problem: there are two different tasks - to put plain text into a wiki, so that it is displayed unmodified; and to put HTML into a wiki, so that it is displayed unmodified, i.e. rendered by the browser.Proposed solution:
- The double quote syntax solves the first problem. On their contents,
htmlspecialchars()is executed. Done.
- The second problem is solved by the new syntax. Done.
- The
<# #>is proposed.
- The
- In the second task, depending on the option in the configuration file, the dangerous HTML code is removed or not removed. Done.
- see SafeHTML[link1] - anti-XSS HTML parser
Dangerous code is:
- attributes on*, data*, action="javascript:", href="javacript:", dynsrc.
- tags <object>, <layer>, <ilayer>, <frame>, <iframe>, <script>, <embed>, <applet>, <bgsound>, <style>, <link>, <body>, <meta>, <frameset>.
- strip dangerous CSS.
- position: (but not backgound-position:)
- @import
- @font-face:
- expression
- behavior
- For subject, it is suggested to do
strip_tags()with some small set of allowed tags, like i, a, b, s, strong, strike, u. The style attribute should also be removed.
- [link1] https://wackowiki.org/doc/Dev/Projects/SafeHTML