Item6186: Review code for robustness and security

We will soon release TWiki 4.3.0. The code base is already very stable, nevertheless it isgood practice to review the code for robustness and security. Setting this to "urgent" so that it gets some attention.

-- TWiki:Main/PeterThoeny - 17 Feb 2009

TWiki:Main/MarcSchoenefeld and TWiki:Main/SteveMilner of Red Hat reported an XSS issue on any TWiki page with this URL parameter example:

?tag=%0Dsecurity;by=;tag=~%27%20onmouseover=script:alert(1)%20%27

Hover the mouse of the "printable view" link, a JS popup will be shown.

They suggested this fix:

--- viewtopicactionbuttons.tmpl   (revision 17826)
+++ viewtopicactionbuttons.tmpl   (working copy)
@@ -18,7 +18,7 @@
 
 %TMPL:DEF{"action_printable"}%%TMPL:P{"printable"}%%TMPL:P{"sep"}%%TMPL:END%
 
-%TMPL:DEF{"printable"}%<span><a href='%SCRIPTURLPATH{"view"}%/%WEB%/%TOPIC%?cover=print%QUERYPARAMSTRING%%REVARG%' rel='nofollow' %MAKETEXT{"title='Printable version of this topic' accesskey='p'>&Print version"}%</a></span>%TMPL:END%
+%TMPL:DEF{"printable"}%<span><a href='%SCRIPTURLPATH{"view"}%/%WEB%/%TOPIC%?cover=print%ENCODE{%QUERYPARAMSTRING%}%%REVARG%' rel='nofollow' %MAKETEXT{"title='Printable version of this topic' accesskey='p'>&Print version"}%</a></span>%TMPL:END%
 
 %TMPL:DEF{"activatable_printable"}%%TMPL:P{"printable"}%%TMPL:END%

Thank you Marc and Steve!

-- TWiki:Main.PeterThoeny - 23 Feb 2009

TWikirev:17838 and TWikirev:17839 - I added a safe mode to VarENCODE and VarURLPARAM. Sub URLPARAM calls _encode to avoid duplicated code for better maintenance. Doc and unit tests pending.

-- TWiki:Main.PeterThoeny - 23 Feb 2009

Used http://code.google.com/p/ratproxy/ for a few days on latest test instance on my laptop-did not find any thing odd.

-- TWiki:Main.SopanShewale - 26 Mar 2009