To limit the impact of potential security issues with macros, I suggest the following two changes:
- Enforce restricted mode in the HTML converter that is used by the WYSIWYG editor if the current user doesn’t have edit rights on the current document.
- Restrict the available macros in restricted mode to a list of allowed macros defined by the admin. By default this list should include a few macros like the info/error/warning macros.
The idea of this is proposal is that any security issue that involves macros then cannot be exploited anymore on a public wiki where registration is closed but comments are possibly enabled.
I’m aware that the first limitation probably interferes with how the change request application works so we might need to introduce a way for change request to indicate if a user should be able to use the HTML converter without restrictions on a document.
Any opinions on this?