Handling of URI schemes outside the "allowed" URI_SCHEMES

[gmilde]

The input converters differ in their handling of URI references
with a scheme that is not in the set of "allowed URI schemes"
moin.constants.misc.URI_SCHEMES.

• The wiki markups (creole, mediawiki, moinwiki) treat schemes outside of the set as part of a page name, so javascript:alert('xss') becomes wiki.local:javascript:alert%28'xss'%29.

• Markdown happily links to all given URIs - including silly and dangerous ones like javascript: or new item: orange.

• HTML and DocBook turn links to URIs with "unregistered" schemes into simple text. (via converters._util.allowed_uri_scheme()).
  This prevents dangerous links – but also legitimate use of wiki item names containing a colon.

• rST displays a box with a "stop-x" icon and the link text but no explanation, URL or offending scheme.

I plan to improve the rST handling, but wonder whether I should

a) treat unknown schemes as part of an item name (as in wiki markup) or

b) display a proper error message (with reason for failure, error location, full offending URI).

• The first alternative is simpler to implement, consistent with current handling in wiki markup converters and preferable if there is a wiki item with a name containing a colon.
• The second alternative is more explicit and verbose. Links to a local wiki item with a colon in the name would have to be prepended with the "wiki.local" scheme.

Adding "wiki.local" to the supported schemes in moin.constants.misc.URI_SCHEMES would also help with links to pages with colon in the name in HTML and DocBook markup.

[gmilde]

@RogerHaase
Some formats prevent links to non-registered URI schemes while
Markdown happily links to all given URIs - including silly and dangerous ones like javascript:.

Should this be considered a security issue?

If yes, how could I add a "security" tag to the issue?

[RogerHaase]

@gmilde Given your analysis above, I defer to you as to the best approach.

Maybe @ThomasWaldmann or @UlrichB22 have a preference.

[UlrichB22]

I don't have a clear preference.

Adding “wiki.local” to moin.constants.misc.URI_SCHEMES is fine if it helps. If you change URI_SCHEMES, it would be nice to have a comment explaining the meaning of this constant, as it is not self-explanatory to me.

In general, handling should be consistent across all converters and as simple as possible 😏

[gmilde]

Besides the PR I also created a test page:

= URI scheme whitelist =

Moin implements a whitelist of approved URI schemes.

The implementation is inconsistent, though:

 * Link to local item
 
  Moin Wiki: [[javascript:alert%28'hi'%29|click here]]
 
  {{{#!creole
  Creole: [[javascript:alert%28'hi'%29|click here]]
  }}}

 * Rudimentary error box (no message, URI hidden)
   {{{#!rst
   reStructuredText: `click here <javascript:alert('hi')>`__

   A good error message looks, for :example:`, so`:
   }}}

 * Render as text

  {{{#!mediawiki
  Mediawiki:  [javascript:alert%28'hi'%29 click here]
  }}}

 * Render URI as text (hide link text)
  
  {{{#!html
  <html>
  <p>
  HTML: <a href="javascript:alert%28'hi'%29">click here</a>
  </p>
  </html>
  }}}

 * Link to any URI
 
  {{{#!markdown
  Markdown: [click here] [id] or [here](javascript:alert%28'hi'%29)
  [id]: javascript:alert('hi')
  }}}

  {{{#!docbook
  <article xmlns='http://docbook.org/ns/docbook' xmlns:xlink='http://www.w3.org/1999/xlink'>
  <para>
   DokBook: <link xlink:href="javascript:alert%28'hi'%29">click here</link>
  </para>
  </article>
  }}}

Please try in a local wiki and give feedback regarding the preferred handling.