Nemcio/Grav
1
0
Fork 0
mirror of https://github.com/getgrav/grav.git synced 2026-05-06 09:57:49 +02:00
Code Issues Packages Projects Releases Activity

Add default XSS security config

Browse Source
This commit is contained in:
Andy Miller
2018-09-29 21:24:58 -06:00
parent 33d98114ba
commit 5b787d56e6
2 changed files with 71 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
system/blueprints/config/security.yaml Normal file
View File

@@ -0,0 +1,49 @@
title: PLUGIN_ADMIN.SECURITY
form:
validation: loose
fields:
security_section:
type: section
title: XSS Security
underline: true
xss_whitelist:
type: selectize
size: large
label: Whitelist Permissions
help: Users with these permissions will skip the XSS rules when saving content
placeholder: 'admin.super'
classes: fancy
validate:
type: commalist
xss_rules:
type: list
label: Rules
help: Be careful when tweaking these rules, a broken regex will break things badly!
classes: compact
fields:
.label:
type: text
label: Label
validate:
required: true
.enabled:
type: toggle
label: Rule Enabled
highlight: 1
options:
1: PLUGIN_ADMIN.YES
0: PLUGIN_ADMIN.NO
default: true
validate:
type: bool
.regex:
type: text
label: Regex
validate:
required: true

22
system/config/security.yaml Normal file
View File

@@ -0,0 +1,22 @@
xss_whitelist: [admin.super] # Whitelist of user access that should 'skip' XSS checking
xss_rules: # Array of XSS tests to run through
-
label: On-Events
enabled: true
regex: '#(<[^>]+[\x00-\x20\"''\/])(on|xmlns)[^>]*>?#iUu'
-
label: JavaScript
enabled: true
regex: '!((java|live|vb)script|mocha|feed|data):(\w)*!iUu'
-
label: Moz-Binding
enabled: true
regex: '#-moz-binding[\x00-\x20]*:#u'
-
label: 'Style Attributes'
enabled: false
regex: '#(<[^>]+[\x00-\x20\"''\/])style=[^>]*>?#iUu'
-
label: 'Dangerous Tags'
enabled: true
regex: '#</*(applet|meta|xml|blink|link|style|script|embed|object|iframe|frame|frameset|ilayer|layer|bgsound|title|base)[^>]*>?#ui'