Specifications
57
Learn how to enable specic protocols, CSS styles, and HTML
tags and attributes.
The default wiki server setup simplies administration by removing potentially harmful
protocols, CSS styles, and HTML tags and attributes. The wiki server can allow all
protocols, CSS styles, and HTML tags and attributes.
The wiki server uses two whitelist les (a built-in whitelist and a custom whitelist) to
determine allowed protocols, CSS styles, and HTML tags and attributes. Elements that
appear in either whitelist are allowed, and all other elements are disallowed.
The built-in whitelist includes common, usually harmless, elements. It doesn’t include
potentially harmful tags like embed, param, object, and script. To embed Flash or
YouTube in your site, you must include some of these tags. If you create a custom
whitelist, you can allow these elements, along with new styles (such as font-size) and
protocols (such as irc and scp).
These whitelists aect all wikis on the server.
WARNING: Some protocols, HTML tags, and attributes can compromise your server’s
security and integrity, or harm users who connect to your server. Make sure you
understand the implications of whatever you enable. For example, allowing JavaScript
introduces security vulnerabilities such as cross-site scripting. For information about
cross-site scripting, see http://en.wikipedia.org/wiki/Cross-site_scripting.
Creating a Custom Whitelist
To create a custom whitelist, create a plain text le named whitelist.plist in:
/Library/Application Support/Apple/WikiServer/
4
Allowing Specic Protocols,
CSS Styles, and HTML Tags
and Attributes