en:beginner:customization
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revision | Next revisionBoth sides next revision | ||
en:beginner:customization [2019/09/22 23:19] – [Useful Links for Customisation] kjdon | en:beginner:customization [2019/12/05 00:30] – anupama | ||
---|---|---|---|
Line 72: | Line 72: | ||
Greenstone2 is built on [[en: | Greenstone2 is built on [[en: | ||
a block of text or code. | a block of text or code. | ||
+ | |||
+ | ===== Maintaining security when customising GS2 macros ===== | ||
+ | |||
+ | A large part of Greenstone 2's security against cross-site scripting (XSS) is implemented in Greenstone 2.87+ in the macros files. This means that if you are customising it by reusing macros such as in new forms or paragraphs, you will need to be aware of how to do so in a secure way. | ||
+ | |||
+ | Every macro variable now has additional variants of itself: variants that are safe to use in an HTML context, in an HTML attribute context, CSS context, URL context, JavaScript context and SQL context. | ||
+ | |||
+ | The additional variants of each variable are denoted by the suffixes: Htmlsafe, Attrsafe, Csssafe, Urlsafe, Jssafe, Sqlsafe. The variable name suffixes of these additional variants' | ||
+ | |||
+ | For example, the '' | ||
+ | < | ||
+ | _cgiargqAttrsafe_ | ||
+ | _cgiargqCsssafe_ | ||
+ | _cgiargqUrlsafe_ | ||
+ | _cgiargqJssafe_ | ||
+ | _cgiargqSqlsafe_</ | ||
+ | |||
+ | In reusing existing macros when you want to customise Greenstone 2 macro files, carefully select the appropriate variant of the variable you want depending on the context in the file where that variable needs to be used. | ||
+ | |||
+ | In some cases, this can be straightforward: | ||
+ | |||
+ | An example of a more complex case would be where Javascript produces HTML. If the variable is part of the HTML page produced by some JavaScript code, you need to use the '' | ||
+ | |||
+ | If you make your customisations consciously and sensibly, your modified macro files will continue to keep Greenstone 2's security intact. | ||
+ | |||
+ | For more information: | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | |||
</ | </ | ||
</ | </ |
en/beginner/customization.txt · Last modified: 2023/03/13 20:51 by kjdon