Trusted Authors Plugin
I have committed a new plugin "serendipity_event_xsstrust" to our additional plugins module.
This plugin can be very helpful for multi-user blogs where you do not fully trust your authors. Since Serendipity is aimed to providing an interface to type HTML code as an author, this means on a multi-user blog every user can insert JavaScript and any HTML he likes to your entries. This in effect also means that any author may insert "XSS" into your blog, and this is not a bug in itself since as a single blog owner you want to have the freedom to enter any HTML you like.
Thanks to Absynth, I got an idea to create this plugin. It can be configured by the site owner to tell, which authors are trusted. Only those trusted users can insert HTML code. All other authors get htmlspecialchars() applied to their code and can no longer exploit code.
If you don't want the plugin to break transformed BBcode or Emoticons, you need to stack the plugin BEFORE any other Markup related plugins, so that the htmlspecialchars() only gets applied to the user input and not any plugin outputs.
I urge the users who run an open membership blog to think about using this plugin. Have fun. :-)
Trackbacks
Trackback-URL für diesen Eintrag
- Keine Trackbacks
Kommentare
Ansicht der Kommentare: (Linear | Verschachtelt)
Keilaron am um :
Excellent idea, I've been wanting this myself. Although I was hoping for something sensitive to specific tags (like disabling OBJECT, SCRIPT, code (if applicable?), etc.).