01389: Improve PmWiki Security through Content Security Policy support and removing inline javascript and style
This is related to 01425, please read the comments on both pages. --Petko November 08, 2017, at 08:09 AM
Description: Improve PmWiki security by
- supporting content security policy[1] [2]
- removing inline code
- removing inline styling
PmWiki already supports this:
- Specify in config.php
$HTTPHeaders[] = "Content-Security-Policy: script-src 'self' https://apis.google.com";// or$HTMLHeaderFmt['CSP'] = '<meta...>'; - PmWiki doesn't use inline javascript, except to focus the password field in the login form, or when a form element contains the
focus=1attribute; all these are not essential and can be safely ignored by your browser; btw there is a HTML5autofocusattribute for this. The GUIEdit toolbar is also not essential, one could write without it.- Obviously, drop all JavaScript recipes that allow any settings via PHP or i18n (eg. DeObMail, DragDropMultiUpload...)
- Simply don't use WikiStyles: either disable it, or use only the
%class=xxx%directives. ($EnableWikiStyles = 0;) And don't use thestyle=attribute in tables or divs.
As you can see, PmWiki in no way prevents you to use CSP, you can enable it with a single line of code. --Petko July 07, 2016, at 01:21 AM
In addition: you can disable embedded core CSS styles in the header with this snippet:
$styles = explode(' ', 'pmwiki rtl-ltr wikistyles markup simuledit diff urlapprove vardoc');
foreach($styles as $style) $HTMLStylesFmt[$style] = '';
You can use the file pmwiki-core.css that comes with the skins Triad, Gemini or FixFlow (even if you have a different skin):
$HTMLHeadFmt['pmwiki-core-css'] = '<link rel="stylesheet" href="$FarmPubDirUrl/css/pmwiki-core.css" type="text/css" />';
These styles cannot be moved simply to the default skin CSS without breaking 95% of the skins and probably all unpublished custom skins. But as usual, PmWiki allows you to enable and disable the features you need. :-) --Petko July 07, 2016, at 05:35 AM