Hello!
I see that any XSS can be stored inside KIRBY in pages - is it ok ?!
It is saved and show alerts popup, in the frontend of the site
If you can’t trust your users, you should take care of this in your templates, using the esc()/escape()helpers. In the backend, you can use validators to control what users can enter into any given field.
Related topics:
- Why editors should able to insert JS code inside pages content ?
- Why it is possible to use HTML inside pages content and what is then reason of the Markdown here ?
Markdown doesn’t cover everything. So you can use HTML in addition to Markdown. It’s also useful if you import from other sources. I don’t see any reason why it should be prevented.
As I said, it is up to you what sort of content you want to allow in your fields. Kirby provides different field types and validators that allow you to control what a user may enter into a field. IMO, there is no reason whatsoever why Kirby should take care of this. This is your responsibility as a developer.
And as I already said, you can and you should take care of this in your templates.
just wondering - is there is any reasons to have markdown at all ? because html and js is still allowed to use in the pages for EDITORS - NOT DEVELOPERS … just wondering
Usually, editors would enter content in Markdown, not HTML tags. But Kirby gives you the freedom to do what you want and what suits your editors best. Markdown - in addition to being easy to use to mark up headings, lists etc. - is also much more readable than content between HTML tags.
As regards JS: in some cases, users need to be able to enter JS code into text field.
is it really hard for editors ?
VARIANT 1
[h2]Lorem ipsum dolor sit amet[/h2]
[p]Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.[/p]
VARIANT 2
## Lorem ipsum dolor sit amet
Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
in the first variant you may control, that no html or js that is not allowed will not be passed to the templates
Well, this is the way Kirby works. You can use Markdown, HTML or even create your own tags like in your first variant, if you want to. You can even create your own custom WYSIWYG fields, if you want. You can. create any validator you want.
You can strip tags from content using kirbytext filters. You have all the options.
Why should Kirby lock you in? It’s just not Kirby’s philosophy to make opinionated decisions for you. If all this is not for you, then maybe Kirby is not the right choice?
I must admit I don’t really see what the problem is?
I see the problem, that editors can broke the site, because editors can insert any code they want without any responsibility. There is no any roles to avoid this.
That’s why I already said you have to prevent your editors from breaking your site if you can’t trust them. Use some or all of the methods enumerated above.
You have to do the same you would do if you included a form in the frontend. A form in the backend is no different. Kirby doesn’t do that for you but it gives you the methods you need.
As I see there should at least
- editors (only editing text)
- designers (only creating templates)
- developers (developing everything)
In Kirby I see that everybody is a developer, is it good and safe architecture ?
A Panel editor doesn’t have access to the templates, an editor can only edit content in the Panel. You can use permissions to define what an editor can edit or access in the Panel.
What makes you think that?
And as regards the dividing line between developers and designers, that may be thin. There are enough designers out there who do the developing part as well and vice versa. Kirby is just a tool that helps you create a website and the dev team does its best to provide a secure architecture.
What you do with it, that is up to you. You are responsible for the security of your website. If you use a badly secured server, that is your responsibility. If you do not use HTTPS, that is your responsibility. If you write insecure code inside your templates, that is your responsibility. If you use plugins with bad. code, that is your responsibility.
1 Like
Hmm… but why for e.g. for Wordpress it is an security issue, but for Kirby it is okey ?
I’m not sure what exactly you are referring to.
I think I have tried to explain the philosophy behind Kirby and what you can and should do to protect your site. You can find a few more hints regarding security in the documentation.
For what sort of use case are you evaluating Kirby? And why would you want to give people with potentially malicious intentions access to your backend, anyway? If they are likely to inject malicious code, don’t let them access the backend. Even if the backend didn’t allow Javascript code, they could still delete all your content. So where is the point?
I think the confusion here is caused by the fact that you’re testing Kirby and the Starterkit and you’re treating the two as one whole thing.
Yes, in the starterkit XSS is an option (@texnixe maybe it shouldn’t? ) but that has nothing to do with Kirby itself.
As @texnixe has pointed out, Kirby is not very opinionated when it comes to what you can and can’t do with your site. If you need to use JS in the backend go for it. If you want to use html again, go for it. If you don’t then you have plenty of options to sanitize the content in the frontend.
The frontend is up to you, what you do with the data is up to you. That JS code is stored in a .txt file and is not different from MD or HTML or anything else in that regard. It’s just text. If you then want to display everything in the frontend without any type of security check then yes, you’ll be vulnerable to XSS but that’s not really a problem.
Kirby is more developers oriented than WordPress. WP MUST have a ton of checks in places because it’s used by some very non-tech people that don’t really know what they’re doing most of the time. And also has a ton of moving places and components you can swap.
That’s not the case here with Kirby. Here the backend, content and frontend are closely related and it’s up to you to decide what to do with those components.
You should’t be too worried about XSS or security in general unless your goal is to use the starterkit as is, in that case then yes XSS is possible but you can easily fix that on your own.
I don’t know. If we start escaping everything, then people wouldn’t be able to add html tags anymore.
On the other hand, we can’t trust in the fact that everyone who uses Kirby knows what they are doing, just because Kirby is more developer oriented. Far from it.
But hey, we just can’t control what they do in their templates. We can’t control how secure their servers are. If they still use HTTP or FTP, then this is a risk we can’t control. If they use outdated PHP version, then this is a risk we can’t control (unless we only allow the latest PHP version). The risk that someone hacks your site from the outside because of such a security risk is probably higher than that someone you trust with access to the Panel inserts some malicious JS.
This is non issue. It is exactly the same case for Wordpress https://wpshout.com/wordpress-xss-attack/ .
It is up to developer to sanitize in templates. You possibly can’t sanitize input - many people need this.
If you have bad actor in with access to your administration then you have whole bag of problems.
@the.lord.gabriel Could you please stop using swear words here in this forum? Thank you! I will have to close this topic otherwise.
It is one thing to ask questions, but quite another to come here and claim things that are just not true, apparently without really knowing what you can and can’t do in Kirby to protect your site.
I think we have gone to much length now to explain that this is not an issue but your responsibility to take care of. I don’t like the way this discussion is going on your side, completely ignoring what has been explained. No-one in the world forces you to use Kirby if you don’t think it is ok.
3 Likes