Extension:XSSProtector
 Release status: experimentalCategory:Experimental extensions |
|
|---|---|
| Implementation | User interfaceCategory:User interface extensions |
| Description | Add an extra layer of defense against XSS |
| Author(s) | Brian Wolff |
| Latest version | 1.1 |
| Compatibility policy | Snapshots releases along with MediaWiki. Master is not backward compatible.Category:Extensions with release branches compatibility policy |
| License | GNU General Public License 2.0 or later |
| Download | Category:Extensions in Wikimedia version control README |
|
|
| Translate the XSSProtector extension if it is available at translatewiki.net | |
This is an experimental extension to add an extra layer of defense against XSS attacks.
The idea is that it "disables" javascript within the body of the article. This should stop attacks while not stopping legitimate javascript.
You simply enable it, and your wiki should be more secure. However it may break certain extensions that do unusual things, so you should test carefully. If using on MediaWiki 1.39, be sure to use the REL1_39 branch.
Details
It is designed to be as minimally invasive as possible, but there still may be extensions that are not compatible with it. Generally extensions that following MediaWiki coding conventions for javascript (i.e. Use ResourceLoader, do not use html attributes starting with "on") should be compatible. There are some config options that adjust how aggressive the extension is which may help with compatibility in some cases.
This only adds a layer and is not infallible. It cannot solve all XSS problems. Even for XSS this extension prevents it does not prevent style injection, which could be used to leak data. This is only meant as a last layer of defense. Any XSS issues discovered should be fixed immediately even if you have this extension.
This extension only guards against XSS. While it uses CSP, it does not attempt to use any features not related to XSS (e.g. controlling outbound network connections). It uses only the minimal CSP features to try and be as nondisruptive as possible and thus does not take advantage of the full anti-XSS features that CSP has to offer.
How successful is it
Looking through the vulnerabilities reported in MediaWiki 1.39.0 to 1.39.13, there were 29 reported. I believe this extension would have made 12 of them not exploitable (41%), including all of the vulnerabilities that I personally would consider high severity.
Installation
- Download and move the extracted
XSSProtectorfolder to yourextensions/directory.
Developers and code contributors should install the extension from Git instead, using:cd extensions/ git clone https://gerrit.wikimedia.org/r/mediawiki/extensions/XSSProtector
- Add the following code at the bottom of your LocalSettings.php file:
wfLoadExtension( 'XSSProtector' );
Done – Navigate to Special:Version on your wiki to verify that the extension is successfully installed.
Configuration parameters
$wgXSSProtectorReplaceMessage- Disable dynamic replacement of Message class. This reduces protection but may be required for compatibility sometimes.
$wgXSSProtectorScriptless- Attempt to prevent scriptless XSS (Higher risk of clashing with extensions for not that much value). Disables <form> and <meta> tags.
$wgXSSProtectorLaxSpecialPage- Don't process the HTML parts of special pages