01389: Improve PmWiki Security through Content Security Policy support and removing inline javascript and style

Summary: Improve PmWiki Security through Content Security Policy support and removing inline javascript and style
Created: 2016-07-06 22:39
Status: Open
Category: Other
From: Simon
Assigned:
Priority: 4
Version: n/a
OS: n/a

This is related to 01425, please read the comments on both pages. --Petko November 08, 2017, at 08:09 AM

Description: Improve PmWiki security by

Simon July 06, 2016, at 10:43 PM

PmWiki already supports this:

  1. Specify in config.php
    $HTTPHeaders[] = "Content-Security-Policy: script-src 'self' https://apis.google.com"; // or
    $HTMLHeaderFmt['CSP'] = '<meta...>';
  2. PmWiki doesn't use inline javascript, except to focus the password field in the login form, or when a form element contains the focus=1 attribute; all these are not essential and can be safely ignored by your browser; btw there is a HTML5 autofocus attribute for this. The GUIEdit toolbar is also not essential, one could write without it.
  3. Simply don't use WikiStyles: either disable it, or use only the %class=xxx% directives. ( $EnableWikiStyles = 0;) And don't use the style= attribute in tables or divs.

As you can see, PmWiki in no way prevents you to use CSP, you can enable it with a single line of code. --Petko July 07, 2016, at 01:21 AM

In addition: you can disable embedded core CSS styles in the header with this snippet:

  $styles = explode(' ', 'pmwiki rtl-ltr wikistyles markup simuledit diff urlapprove vardoc');
  foreach($styles as $style) $HTMLStylesFmt[$style] = '';

You can use the file pmwiki-core.css that comes with the skins Triad, Gemini or FixFlow (even if you have a different skin):

 $HTMLHeadFmt['pmwiki-core-css'] = '<link rel="stylesheet" href="$FarmPubDirUrl/css/pmwiki-core.css" type="text/css" />';

These styles cannot be moved simply to the default skin CSS without breaking 95% of the skins and probably all unpublished custom skins. But as usual, PmWiki allows you to enable and disable the features you need. :-) --Petko July 07, 2016, at 05:35 AM