Security
In versions prior to 5.0, any user with edit-access to the wiki could change the custom.css
and custom.js
files, as well as the MathJax config. In 5.0, these special files have been locked down for editing, so they should now be safe to use (but still be aware that anyone who can edit these files through other means, e.g. through git access, will be able to change the functionality of the application).
Gollum uses the Loofah gem to filter out any potentially insecure HTML. It uses Loofah's default whitelist for acceptable HTML5 tags and protocols for links, defined here. You can change Loofah's behavior in your config.rb
(use the --config
option).
See Loofah's documentation for help in overriding its default behavior, but the below is a quick example you could add to a config.rb
:
# Whitelist a attribute:
::Loofah::HTML5::SafeList::ALLOWED_ATTRIBUTES.add('controls')
# Elements: you need to modify the ALLOWED_ELEMENTS_WITH_LIBXML2 constant
# Loofah uses that constant here](https://github.com/flavorjones/loofah/blob/master/lib/loofah/html5/scrub.rb#L14) (confirmed up til 2.6.0) to determine whether or not to accept an element
# To delete a whitelisted element:
::Loofah::HTML5::SafeList::ALLOWED_ELEMENTS_WITH_LIBXML2.delete('video')
# To add a whitelisted element:
::Loofah::HTML5::SafeList::ALLOWED_ELEMENTS_WITH_LIBXML2.add('iframe')