diff --git a/system/blueprints/config/security.yaml b/system/blueprints/config/security.yaml new file mode 100644 index 000000000..c0f4085b9 --- /dev/null +++ b/system/blueprints/config/security.yaml @@ -0,0 +1,49 @@ +title: PLUGIN_ADMIN.SECURITY + +form: + validation: loose + fields: + + security_section: + type: section + title: XSS Security + underline: true + + xss_whitelist: + type: selectize + size: large + label: Whitelist Permissions + help: Users with these permissions will skip the XSS rules when saving content + placeholder: 'admin.super' + classes: fancy + validate: + type: commalist + + + xss_rules: + type: list + label: Rules + help: Be careful when tweaking these rules, a broken regex will break things badly! + classes: compact + fields: + .label: + type: text + label: Label + validate: + required: true + .enabled: + type: toggle + label: Rule Enabled + highlight: 1 + options: + 1: PLUGIN_ADMIN.YES + 0: PLUGIN_ADMIN.NO + default: true + validate: + type: bool + .regex: + type: text + label: Regex + validate: + required: true + diff --git a/system/config/security.yaml b/system/config/security.yaml new file mode 100644 index 000000000..69b44dd80 --- /dev/null +++ b/system/config/security.yaml @@ -0,0 +1,22 @@ +xss_whitelist: [admin.super] # Whitelist of user access that should 'skip' XSS checking +xss_rules: # Array of XSS tests to run through + - + label: On-Events + enabled: true + regex: '#(<[^>]+[\x00-\x20\"''\/])(on|xmlns)[^>]*>?#iUu' + - + label: JavaScript + enabled: true + regex: '!((java|live|vb)script|mocha|feed|data):(\w)*!iUu' + - + label: Moz-Binding + enabled: true + regex: '#-moz-binding[\x00-\x20]*:#u' + - + label: 'Style Attributes' + enabled: false + regex: '#(<[^>]+[\x00-\x20\"''\/])style=[^>]*>?#iUu' + - + label: 'Dangerous Tags' + enabled: true + regex: '#]*>?#ui'