Page MenuHomePhabricator
Create Task
Maniphest T96461

Systematic sanitization for SVGs and HTML
Open, MediumPublic
Actions

Description

Several backend services want to expose HTML and SVG content without any wrapping. To avoid XSS even on older browsers without support for CSP & related policies, we should make sure that all such content is properly sanitized.

Parsoid already has a port of the MediaWiki HTML sanitizer. This is currently operating on tokens, but can be ported to work as a SAX handler as well. Much of the same attribute sanitization is needed for SVGs. There is code in MediaWiki that validates (but not sanitizes) SVGs in the upload path, which we should template this on. That code also uses the PHP Sanitizer class.

It might make most sense to offer this as html2html and svg2svg end points in Parsoid. This lets Parsoid combine sanitization with format migrations. For SVG, we could also consider offering minimization (T74547). There is also a proposal for T78579: SVG to PNG conversion, minimization, sanitization service, although integrating that into Parsoid would be a bit of a stretch.

Another option would be to handle SVG separately in a SVG / PNG conversion service. This would require the extraction of the Parsoid sanitizer as a library, which would be useful in its own right.

In RESTBase, sanitization should be tied to the expected content-type (as documented in the swagger spec). The Sanitizer should emit a content-type like text/html;profile=mediawiki.org/specs/html/1.0.1, which is stored along with content in RESTBase. If the service-provided or stored content-type does not match the expectation in the swagger spec, the content is sent to the sanitizer registered for the base content type (possibly by prefix or regexp) and only returned / stored back if the result then matches the expectation.

Related Objects
Search...

Event Timeline

GWicke created this task.Apr 17 2015, 11:44 PM
GWicke raised the priority of this task from to Needs Triage.
GWicke updated the task description. (Show Details)
GWicke added projects: RESTBase, Parsoid.
GWicke subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 17 2015, 11:44 PM
GWicke updated the task description. (Show Details)Apr 17 2015, 11:47 PM
GWicke set Security to None.
GWicke edited subscribers, added: ssastry, csteipp, mobrovac; removed: Aklapper.Apr 19 2015, 1:01 AM
GWicke added a subscriber: Yurik.
GWicke mentioned this in T78579: SVG to PNG conversion, minimization, sanitization service.Apr 23 2015, 9:43 PM
GWicke moved this task from Backlog to Under discussion on the RESTBase board.Jun 29 2015, 5:33 PM
Arlolra triaged this task as Medium priority.Jul 7 2015, 3:59 AM
Arlolra moved this task from Needs Triage to Needs Discussion on the Parsoid board.
Arlolra subscribed.
csteipp added a comment.Jul 7 2015, 4:14 PM

For php, there's http://htmlpurifier.org/. Mario Heiderich (Cure53/html5sec.org) also gave me a copy of his svgpurifier library, which does the same for svgs.

Is there a similar node library? If not, porting both of those libraries would be fairly straight forward.

cscott subscribed.Jul 7 2015, 4:17 PM

Is there a spec for htmlpurifier/svgpurifier? My personal goal here is to move away from adhoc sanitization and have a written spec of exactly what we're doing to the input.

Arlolra added a comment.Dec 4 2015, 10:42 PM

https://github.com/cure53/DOMPurify

GWicke added a comment.Dec 4 2015, 10:43 PM

https://github.com/notriddle/ammonia

GWicke added a comment.EditedDec 4 2015, 10:46 PM

The type of HTML sanitization we are after is fairly specific to MediaWiki, so it might make sense to actually use the Parsoid sanitizer.js, hooked up to SAX handlers or a DOM visitor. This also avoids maintaining two separate sanitizers.

The main issue with the Parsoid sanitizer is that it currently does not cover SVG. We could either add that, or use a separate library for SVG.

ssastry moved this task from Needs Discussion to Needs Triage on the Parsoid board.Dec 17 2015, 11:07 PM
Yurik added a comment.Feb 11 2016, 1:53 AM

From the looks of it, DOMPurify should cover our SVG use case, and unlike ammonia, is written in JS, making it possible to adapt it into Parsoid sanitizer. Lets security evaluate it - this way I can already embed it into Graphoid, until restbase starts supporting it transparently.

Yurik added a subtask: T125382: Ensure DOMPurify meets our SVG sanitization requirements for Graphs.Feb 11 2016, 1:54 AM
Ricordisamoa subscribed.Feb 11 2016, 2:10 AM
RobLa-WMF subscribed.May 15 2016, 7:15 PM
GWicke added a project: Services.Oct 12 2016, 11:19 PM
MZMcBride subscribed.Oct 26 2016, 5:11 AM
Bawolff subscribed.Oct 27 2016, 6:16 AM
Arlolra mentioned this in T144467: Security review for Google MT for Content Translation.Jun 29 2017, 2:13 PM
santhosh mentioned this in T169295: Sanitize MT service output HTML.Jun 30 2017, 5:05 AM
GWicke moved this task from Backlog to watching on the Services board.Jul 11 2017, 8:53 PM
GWicke edited projects, added Services (watching); removed Services.
EBjune closed subtask T125382: Ensure DOMPurify meets our SVG sanitization requirements for Graphs as Resolved.Nov 29 2017, 6:44 PM
mobrovac added a project: Platform Team Legacy (Watching / External).Dec 20 2018, 12:02 PM
LGoto moved this task from Needs Triage to Backlog on the Parsoid board.Feb 15 2020, 9:42 PM
LGoto moved this task from Backlog to Future Ideas on the Parsoid board.Jun 11 2020, 6:15 PM
Bugreporter mentioned this in T334953: Introduce an SVG Sanitizer.Apr 18 2023, 2:22 PM
Glrx subscribed.Apr 19 2023, 1:53 AM
R4356th subscribed.Jun 7 2023, 8:08 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL