Changeset 4027


Ignore:
Timestamp:
06/04/09 00:10:06 (3 years ago)
Author:
KennethLavrsen
Message:

Item1640: CommentPlugin writes "%" as html-code, which prevents the use of Macros
It was me that created the problem with my default safe mode in URLPARAM
I have analysed the problem and as long as we use URLPARAM in the OUTPUT part of
the CommentPlugin templates and keep the settings inside verbatim tags we do not
expose any XSS attack. So we can give the users back the ability to use Foswiki
Macros in comment input fields.
With this I also merge over some code changes Crawford had done in trunk.
Note that except for the release version all changes in the .pm files are unrelated
to the bug fix, which is why I dare checking in perltidy stuff with a bug fix.
CommentPlugin is now again same in trunk and Release branch

Location:
trunk/CommentPlugin
Files:
4 edited

Legend:

Unmodified
Added
Removed

  • trunk/CommentPlugin/data/Sandbox/CommentPluginTemplateExample.txt

    r1340 r4027  
    2828%WIKIUSERNAME% - %DATE%: 
    2929 
    30 %URLPARAM{"comment"}% 
     30%URLPARAM{"comment" encode="off"}% 
    3131 
    3232---  

  • trunk/CommentPlugin/data/System/CommentPlugin.txt

    r3416 r4027  
    1 %META:TOPICINFO{author="ProjectContributor" date="1170597947" format="1.0" version="$Rev$"}% 
     1%META:TOPICINFO{author="ProjectContributor" date="1170597947" format="1.1" version="$Rev$"}% 
    22 
    33---+!! Comment Plugin 
     
    251251|  Plugin Version: | %$VERSION% | 
    252252|  Change History: | | 
     253|  04 Jun 2009 | Foswikitask:Item1668 - The action template used with !ActionTrackerPlugin now uses new syntax ending with %ENDACTION. This makes each action item appear on a new line. Additionally new lines are now correctly saved as html br tags and not as html encoded br tag <br /> Foswikitask:Item1640 - Templates shipped with the plugin no longer encodes the user date entered when the date is saved so that it is possible for the user to use macros. | 
    253254|  15 Jan 2008 | Foswikitask:Item727 - data loss issue when missing anchor or location | 
    254 |  13 Jan 2009 | Foswikitask:736 Make !CommentPlugin aware of CompareRevisionsAddOn bin script. | 
     255|  13 Jan 2009 | Foswikitask:Item736 - Make !CommentPlugin aware of CompareRevisionsAddOn bin script. | 
    255256|  16 Dec 2008 | Foswiki version | 
    256257|  03 Aug 2008 | The TWiki 4.2.1 release version |  

  • trunk/CommentPlugin/data/System/CommentPluginTemplate.txt

    r3988 r4027  
    1717 
    1818---++ Template definitions 
     19 
     20%X% Note that the use of URLPARAM in the templates should be done in a way that prevents Cross Site Scripting attacks. The safest is to let URLPARAM encode the unsafe characters (default) but this prevents the user from entering Foswiki macros in the comment input fields. It is however safe to use encode="off" when the following rules are observed. 
     21   * The encode="off" option for URLPARAM is only used in this topic within verbatim tags to prevent this topic from being an XSS attack vector. 
     22   * The encode="off" option is only used in OUTPUT defs and never in the PROMPT. 
     23    
    1924---+++ Templates used in rest of file 
    2025Generic prompt box used by other templates 
     
    2429Short comment, signed and dated 
    2530<verbatim> 
    26 %TMPL:DEF{outputoneliner}%   * %URLPARAM{"comment"}% -- %WIKIUSERNAME% - %GMTIME{"$day $month $year"}%%TMPL:END% 
     31%TMPL:DEF{outputoneliner}%   * %URLPARAM{"comment" encode="off"}% -- %WIKIUSERNAME% - %GMTIME{"$day $month $year"}%%TMPL:END% 
    2732</verbatim> 
    2833 
     
    8792</verbatim> 
    8893<verbatim> 
    89 %TMPL:DEF{OUTPUT:bulletabove}%   * %URLPARAM{"bullet_above_item"}%%POS:BEFORE% 
     94%TMPL:DEF{OUTPUT:bulletabove}%   * %URLPARAM{"bullet_above_item" encode="off"}%%POS:BEFORE% 
    9095%TMPL:END% 
    9196</verbatim> 
     
    104109%TMPL:DEF{OUTPUT:threadmode}%%POS:BEFORE% 
    105110 
    106 %URLPARAM{"comment"}% 
     111%URLPARAM{"comment" encode="off"}% 
    107112 
    108113-- %WIKIUSERNAME% - %DATE% 
     
    125130---++++ %WIKIUSERNAME% - %SERVERTIME% 
    126131 
    127 %URLPARAM{"comment"}% 
     132%URLPARAM{"comment" encode="off"}% 
    128133 
    129134%TMPL:END% 
     
    157162</verbatim> 
    158163<verbatim> 
    159 %TMPL:DEF{OUTPUT:tableprepend}%%POS:AFTER%| %URLPARAM{"comment" newline="<br />"}% | %WIKIUSERNAME% | %SERVERTIME% | 
     164%TMPL:DEF{OUTPUT:tableprepend}%%POS:AFTER%| %URLPARAM{"comment" newline="<br />" encode="off"}% | %WIKIUSERNAME% | %SERVERTIME% | 
    160165%TMPL:END% 
    161166</verbatim> 
     
    172177</verbatim> 
    173178<verbatim> 
    174 %TMPL:DEF{OUTPUT:tableappend}%%POS:BEFORE%| %URLPARAM{"comment" newline="<br />"}% | %WIKIUSERNAME% | %SERVERTIME% | 
     179%TMPL:DEF{OUTPUT:tableappend}%%POS:BEFORE%| %URLPARAM{"comment" newline="<br />" encode="off"}% | %WIKIUSERNAME% | %SERVERTIME% | 
    175180%TMPL:END% 
    176181</verbatim> 
     
    209214</verbatim> 
    210215<verbatim> 
    211 %TMPL:DEF{OUTPUT:action}%%POS:BEFORE%%AC%NOP%TION{who="%URLPARAM{"action_who"}%" due="%URLPARAM{"action_due"}%"}% %URLPARAM{"action_comment"}%<br />- Created by %WIKIUSERNAME%, %SERVERTIME%%ENDACTION% 
     216%TMPL:DEF{OUTPUT:action}%%POS:BEFORE%%AC%NOP%TION{who="%URLPARAM{"action_who" encode="off"}%" due="%URLPARAM{"action_due" encode="off"}%"}% %URLPARAM{"action_comment" encode="off"}%<br />- Created by %WIKIUSERNAME%, %SERVERTIME%%ENDACTION% 
    212217%TMPL:END% 
    213218</verbatim> 
     
    229234</verbatim> 
    230235<verbatim> 
    231 %TMPL:DEF{OUTPUT:table}%%POS:BEFORE%| %URLPARAM{"comment_date"}% | %WIKIUSERNAME% | %URLPARAM{"comment_city" }% | 
     236%TMPL:DEF{OUTPUT:table}%%POS:BEFORE%| %URLPARAM{"comment_date" encode="off"}% | %WIKIUSERNAME% | %URLPARAM{"comment_city" encode="off"}% | 
    232237%TMPL:END% 
    233238</verbatim> 
     
    250255<verbatim> 
    251256%TMPL:DEF{OUTPUT:toctalk}% 
    252 %POS:BEFORE%---++++ %SERVERTIME% %WIKIUSERNAME%: %URLPARAM{"comment_summary"}% 
    253 %POS:BEFORE%%URLPARAM{"toctalk_comment_text" }% 
     257%POS:BEFORE%---++++ %SERVERTIME% %WIKIUSERNAME%: %URLPARAM{"comment_summary" encode="off"}% 
     258%POS:BEFORE%%URLPARAM{"toctalk_comment_text" encode="off"}% 
    254259%POS:BEFORE% 
    255260%TMPL:END% 

  • trunk/CommentPlugin/lib/Foswiki/Plugins/CommentPlugin.pm

    r2957 r4027  
    1313 
    1414our $VERSION = '$Rev$'; 
    15 our $RELEASE = 'Foswiki-1.0.1'; 
     15our $RELEASE = '04 Jun 2009'; 
    1616our $SHORTDESCRIPTION = 
    1717  'Quickly post comments to a page without an edit/preview/save cycle'; 
     
    1919 
    2020sub initPlugin { 
    21  
    2221    #my ( $topic, $web, $user, $installWeb ) = @_; 
    2322    return 1; 
     
    3029 
    3130    my $query = Foswiki::Func::getCgiQuery(); 
    32     return unless ( defined($query) ); 
     31    return unless( defined( $query ) ); 
    3332 
    3433    return unless $_[0] =~ m/%COMMENT({.*?})?%/o; 
     
    3938    # SMELL: unreliable 
    4039    my $previewing = ( $scriptname =~ /\/(preview|gnusave|rdiff|compare)/ ); 
    41     Foswiki::Plugins::CommentPlugin::Comment::prompt( $previewing, $_[0], $web, 
    42         $topic ); 
     40    Foswiki::Plugins::CommentPlugin::Comment::prompt( $previewing, 
     41                                                    $_[0], $web, $topic ); 
    4342} 
    4443 
    4544sub beforeSaveHandler { 
    46  
    4745    #my ( $text, $topic, $web ) = @_; 
    4846 
     
    5452    my $action = $query->param('comment_action'); 
    5553 
    56     return unless ( defined($action) && $action eq 'save' ); 
    57     Foswiki::Plugins::CommentPlugin::Comment::save(@_); 
     54    return unless( defined( $action ) && $action eq 'save' ); 
     55    Foswiki::Plugins::CommentPlugin::Comment::save( @_ ); 
    5856} 
    5957 
Note: See TracChangeset for help on using the changeset viewer.