This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
en:beginner:customization [2019/09/23 11:19]
kjdon [Useful Links for Customisation]
en:beginner:customization [2019/12/05 13:33]
anupama [Customization]
Line 72: Line 72:
 Greenstone2 is built on [[en:​user:​macros|macros]],​ which look like ''​_this_''​ and basically stand for Greenstone2 is built on [[en:​user:​macros|macros]],​ which look like ''​_this_''​ and basically stand for
 a block of text or code.  a block of text or code. 
 +===== Maintaining security when customising GS2 macros =====
 +A large part of Greenstone 2's security against cross-site scripting (XSS) is implemented in Greenstone 2.87+ in the macros files. This means that if you are customising it by reusing macros such as in new forms or paragraphs, you will need to be aware of how to do so in a secure way.
 +Every macro variable now has additional variants of itself: variants that are safe to use in an HTML context, in an HTML attribute context, CSS context, URL context, JavaScript context and SQL context. ​
 +The additional variants of each variable are denoted by the suffixes:
 +<​code>​Htmlsafe,​ Attrsafe, Csssafe, Urlsafe, Jssafe, Sqlsafe</​code>​
 +The variable name suffixes of these additional variants'​ indicate the context in which each is to be used. 
 +For example//, the ''​_cgiargq_''​ variable has the following variants:
 +In reusing existing macros when you want to customise Greenstone 2 macro files, carefully select the appropriate variant of the variable you want depending on the context in the file where that variable needs to be used.
 +In some cases, this can be straightforward:​ if it is going into an HTML attribute, use the ''​Attrsafe''​ variant. If it's going to be (part of) a URL, use the Urlsafe version. If it goes into regular JavaScript code, use the Jssafe version, etc.
 +An example of a more complex case would be where Javascript produces HTML. If the variable is part of the HTML page produced by some JavaScript code, you need to use the ''​Htmlsafe''​ variant instead of the Jssafe variant.
 +If you make your customisations consciously and sensibly, your modified macro files will continue to keep Greenstone 2's security intact.
 +For more information:​
 +  * [[https://​www.owasp.org/​index.php/​Cross-site_Scripting_%28XSS%29|OWASP Cross Site Scripting (XSS) page]]
 +  * [[https://​cheatsheetseries.owasp.org/​cheatsheets/​Cross_Site_Scripting_Prevention_Cheat_Sheet.html|OWASP XSS cheat sheet]]
 </​TAB>​ </​TAB>​