CINXE.COM
devel:security [DokuWiki]
<!DOCTYPE html> <html lang="en" dir="ltr" class="no-js"> <head> <meta charset="utf-8" /> <title>devel:security [DokuWiki]</title> <meta name="generator" content="DokuWiki"/> <meta name="theme-color" content="#008800"/> <meta name="robots" content="index,follow"/> <meta name="keywords" content="devel,security"/> <link rel="search" type="application/opensearchdescription+xml" href="/lib/exe/opensearch.php" title="DokuWiki"/> <link rel="start" href="/"/> <link rel="contents" href="/devel:security?do=index" title="Sitemap"/> <link rel="manifest" href="/lib/exe/manifest.php"/> <link rel="alternate" type="application/rss+xml" title="Recent Changes" href="/feed.php"/> <link rel="alternate" type="application/rss+xml" title="Current namespace" href="/feed.php?mode=list&ns=devel"/> <link rel="edit" title="Edit this page" href="/devel:security?do=edit"/> <link rel="alternate" type="text/html" title="Plain HTML" href="/_export/xhtml/devel:security"/> <link rel="alternate" type="text/plain" title="Wiki Markup" href="/_export/raw/devel:security"/> <link rel="canonical" href="https://www.dokuwiki.org/devel:security"/> <link rel="stylesheet" href="/lib/exe/css.php?t=dokuwiki&tseed=f1005bad3d81fc9c803c7f93d32a390e"/> <link rel="alternate" hreflang="fr" href="https://www.dokuwiki.org/fr:devel:security"/> <link rel="alternate" hreflang="ja" href="https://www.dokuwiki.org/ja:devel:security"/> <link rel="alternate" hreflang="ru" href="https://www.dokuwiki.org/ru:devel:security"/> <link rel="alternate" hreflang="x-default" href="https://www.dokuwiki.org/devel:security"/> <script >var NS='devel';var JSINFO = {"plugins":{"edittable":{"default columnwidth":""}},"id":"devel:security","namespace":"devel","ACT":"show","useHeadingNavigation":0,"useHeadingContent":0};(function(H){H.className=H.className.replace(/\bno-js\b/,'js')})(document.documentElement);</script> <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.4/jquery.min.js" defer="defer"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/jqueryui/1.13.2/jquery-ui.min.js" defer="defer"></script> <script src="/lib/exe/js.php?t=dokuwiki&tseed=f1005bad3d81fc9c803c7f93d32a390e&lang=en" defer="defer"></script> <meta name="viewport" content="width=device-width,initial-scale=1" /> <link rel="shortcut icon" href="/lib/tpl/dokuwiki/images/favicon.ico" /> <link rel="apple-touch-icon" href="/lib/tpl/dokuwiki/images/apple-touch-icon.png" /> <meta name="verify-v1" content="OVxl3gsCv2MhZqh1cBQyl0JytWXSwXMjyvwc+4w3WtA=" /> <meta name="google-site-verification" content="YhTVK69hW94ZXUtc2zSLPxTkZKbZIn0zK67mz5WQB-E" /> <!-- Global site tag (gtag.js) - Google Analytics --> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-83791-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-83791-1', { 'anonymize_ip': true }); </script> </head> <body> <div id="dokuwiki__site"><div id="dokuwiki__top" class="site dokuwiki mode_show tpl_dokuwiki showSidebar hasSidebar"> <!-- ********** HEADER ********** --> <header id="dokuwiki__header"><div class="pad group"> <div class="headings group"> <ul class="a11y skip"> <li><a href="#dokuwiki__content">skip to content</a></li> </ul> <h1 class="logo"><a href="/start" accesskey="h" title="Home [h]"><img src="/lib/tpl/dokuwiki/images/logo.png" width="64" height="64" alt="" /><span>DokuWiki</span></a></h1> <p class="claim">It's better when it's simple</p> </div> <div class="tools group"> <!-- USER TOOLS --> <div id="dokuwiki__usertools"> <h3 class="a11y">User Tools</h3> <ul> <li class="action login"><a href="/devel:security?do=login&sectok=" title="Log In" rel="nofollow"><span>Log In</span><svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24"><path d="M10 17.25V14H3v-4h7V6.75L15.25 12 10 17.25M8 2h9a2 2 0 0 1 2 2v16a2 2 0 0 1-2 2H8a2 2 0 0 1-2-2v-4h2v4h9V4H8v4H6V4a2 2 0 0 1 2-2z"/></svg></a></li> </ul> </div> <!-- SITE TOOLS --> <div id="dokuwiki__sitetools"> <h3 class="a11y">Site Tools</h3> <form action="/start" method="get" role="search" class="search doku_form" id="dw__search" accept-charset="utf-8"><input type="hidden" name="do" value="search" /><input type="hidden" name="id" value="devel:security" /><div class="no"><input name="q" type="text" class="edit" title="[F]" accesskey="f" placeholder="Search" autocomplete="on" id="qsearch__in" value="" /><button value="1" type="submit" title="Search">Search</button><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form> <div class="mobileTools"> <form action="/doku.php" method="get" accept-charset="utf-8"><div class="no"><input type="hidden" name="id" value="devel:security" /><select name="do" class="edit quickselect" title="Tools"><option value="">Tools</option><optgroup label="Page Tools"><option value="edit">Edit this page</option><option value="revisions">Old revisions</option><option value="backlink">Backlinks</option></optgroup><optgroup label="Site Tools"><option value="recent">Recent Changes</option><option value="media">Media Manager</option><option value="index">Sitemap</option></optgroup><optgroup label="User Tools"><option value="login">Log In</option></optgroup></select><button type="submit">></button></div></form> </div> <ul> <li class="action recent"><a href="/devel:security?do=recent" title="Recent Changes [r]" rel="nofollow" accesskey="r">Recent Changes</a></li><li class="action media"><a href="/devel:security?do=media&ns=devel" title="Media Manager" rel="nofollow">Media Manager</a></li><li class="action index"><a href="/devel:security?do=index" title="Sitemap [x]" rel="nofollow" accesskey="x">Sitemap</a></li> </ul> </div> </div> <!-- BREADCRUMBS --> <div class="breadcrumbs"> <div class="trace"><span class="bchead">Trace:</span> <span class="bcsep">•</span> <span class="curid"><bdi><a href="/devel:security" class="breadcrumbs" title="devel:security">security</a></bdi></span></div> </div> <hr class="a11y" /> </div></header><!-- /header --> <div class="wrapper group"> <!-- ********** ASIDE ********** --> <nav id="dokuwiki__aside" aria-label="Sidebar"><div class="pad aside include group"> <h3 class="toggle">Sidebar</h3> <div class="content"><div class="group"> <div class="plugin_translation is-dropdown"><span class="title">Translations of this page<sup><a href="/localization" class="wikilink1" title="localization" data-wiki-id="localization">?</a></sup>: </span><ul><li class="span"><span class="wikilink1" title="English">English (en)</span></li><li class="a"><a class="wikilink2" title="|العربية" href="/ar:devel:security">|العربية (ar)</a></li><li class="a"><a class="wikilink2" title="Català" href="/ca:devel:security">Català (ca)</a></li><li class="a"><a class="wikilink2" title="Česky" href="/cs:devel:security">Česky (cs)</a></li><li class="a"><a class="wikilink2" title="Dansk" href="/da:devel:security">Dansk (da)</a></li><li class="a"><a class="wikilink2" title="Deutsch" href="/de:devel:security">Deutsch (de)</a></li><li class="a"><a class="wikilink2" title="Ελληνικά" href="/el:devel:security">Ελληνικά (el)</a></li><li class="a"><a class="wikilink2" title="Esperanto" href="/eo:devel:security">Esperanto (eo)</a></li><li class="a"><a class="wikilink2" title="Español" href="/es:devel:security">Español (es)</a></li><li class="a"><a class="wikilink2" title="فارسی" href="/fa:devel:security">فارسی (fa)</a></li><li class="a"><a class="wikilink1" title="Français" href="/fr:devel:security">Français (fr)</a></li><li class="a"><a class="wikilink2" title="עברית" href="/he:devel:security">עברית (he)</a></li><li class="a"><a class="wikilink2" title="Magyar" href="/hu:devel:security">Magyar (hu)</a></li><li class="a"><a class="wikilink2" title="Italiano" href="/it:devel:security">Italiano (it)</a></li><li class="a"><a class="wikilink1" title="日本語" href="/ja:devel:security">日本語 (ja)</a></li><li class="a"><a class="wikilink2" title="한국어" href="/ko:devel:security">한국어 (ko)</a></li><li class="a"><a class="wikilink2" title="Lietuvių Kalba" href="/lt:devel:security">Lietuvių Kalba (lt)</a></li><li class="a"><a class="wikilink2" title="Nederlands" href="/nl:devel:security">Nederlands (nl)</a></li><li class="a"><a class="wikilink2" title="Norsk" href="/no:devel:security">Norsk (no)</a></li><li class="a"><a class="wikilink2" title="Polski" href="/pl:devel:security">Polski (pl)</a></li><li class="a"><a class="wikilink2" title="Português" href="/pt-br:devel:security">Português (pt-br)</a></li><li class="a"><a class="wikilink2" title="Română" href="/ro:devel:security">Română (ro)</a></li><li class="a"><a class="wikilink1" title="Русский" href="/ru:devel:security">Русский (ru)</a></li><li class="a"><a class="wikilink2" title="Српски Језик" href="/sr:devel:security">Српски Језик (sr)</a></li><li class="a"><a class="wikilink2" title="Svenska" href="/sv:devel:security">Svenska (sv)</a></li><li class="a"><a class="wikilink2" title="ไทย" href="/th:devel:security">ไทย (th)</a></li><li class="a"><a class="wikilink2" title="Українська" href="/uk:devel:security">Українська (uk)</a></li><li class="a"><a class="wikilink2" title="中文" href="/zh:devel:security">中文 (zh)</a></li><li class="a"><a class="wikilink2" title="繁體中文" href="/zh-tw:devel:security">繁體中文 (zh-tw)</a></li></ul></div> <p> <strong>Learn about DokuWiki</strong> </p> <ul> <li class="level1"><div class="li"> <a href="/features" class="wikilink1" title="features" data-wiki-id="features">Features</a> & <a href="/blogroll" class="wikilink1" title="blogroll" data-wiki-id="blogroll">reviews</a> </div> </li> <li class="level1"><div class="li"> <a href="/install" class="wikilink1" title="install" data-wiki-id="install">Installation guide</a></div> </li> <li class="level1"><div class="li"> <a href="/manual" class="wikilink1" title="manual" data-wiki-id="manual">User manual</a> & <a href="/wiki:syntax" class="wikilink1" title="wiki:syntax" data-wiki-id="wiki:syntax">syntax</a></div> </li> <li class="level1"><div class="li"> <a href="/changes" class="wikilink1" title="changes" data-wiki-id="changes">Release notes</a></div> </li> <li class="level1"><div class="li"> <a href="/faq" class="wikilink1" title="faq" data-wiki-id="faq">FAQ</a></div> </li> </ul> <p> <strong>Advanced Use</strong> </p> <ul> <li class="level1"><div class="li"> <a href="/extensions" class="wikilink1" title="extensions" data-wiki-id="extensions">Extensions</a></div> </li> <li class="level1"><div class="li"> <a href="/development" class="wikilink1" title="development" data-wiki-id="development">Development manual</a></div> </li> </ul> <p> <strong>Corporate Use</strong> </p> <ul> <li class="level1"><div class="li"> <a href="/faq:support" class="wikilink1" title="faq:support" data-wiki-id="faq:support">Get support</a></div> </li> <li class="level1"><div class="li"> <a href="/donate" class="wikilink1" title="donate" data-wiki-id="donate">Donations</a></div> </li> </ul> <p> <strong>Our Community</strong> </p> <ul> <li class="level1"><div class="li"> <a href="/teams:getting_involved" class="wikilink1" title="teams:getting_involved" data-wiki-id="teams:getting_involved">Get involved</a></div> </li> <li class="level1"><div class="li"> <a href="/dokuinstall" class="wikilink1" title="dokuinstall" data-wiki-id="dokuinstall">Users</a></div> </li> <li class="level1"><div class="li"> <a href="http://forum.dokuwiki.org" class="urlextern" title="http://forum.dokuwiki.org">User forum</a></div> </li> <li class="level1"><div class="li"> <a href="/mailinglist" class="wikilink1" title="mailinglist" data-wiki-id="mailinglist">Development mailinglist</a></div> </li> </ul> <hr /> <p> Follow us on <a href="https://phpc.social/@dokuwiki" class="urlextern" title="https://phpc.social/@dokuwiki">Mastodon</a> and other <a href="/social" class="wikilink1" title="social" data-wiki-id="social">social networks</a>. </p> <p> <a href="/privacy" class="wikilink1" title="privacy" data-wiki-id="privacy">Our Privacy Policy</a> </p> </div></div> </div></nav><!-- /aside --> <!-- ********** CONTENT ********** --> <main id="dokuwiki__content"><div class="pad group"> <div class="pageId"><span>devel:security</span></div> <div class="page group"> <!-- wikipage start --> <!-- TOC START --> <div id="dw__toc" class="dw__toc"> <h3 class="toggle">Table of Contents</h3> <div> <ul class="toc"> <li class="level1"><div class="li"><a href="#security_guidelines_for_plugin_authors">Security Guidelines for Plugin Authors</a></div> <ul class="toc"> <li class="level2"><div class="li"><a href="#cross_site_scripting_xss">Cross Site Scripting (XSS)</a></div> <ul class="toc"> <li class="level3"><div class="li"><a href="#typical_vulnerability_examples">Typical Vulnerability Examples</a></div></li> </ul> </li> <li class="level2"><div class="li"><a href="#cross_site_request_forgery_csrf">Cross Site Request Forgery (CSRF)</a></div> <ul class="toc"> <li class="level3"><div class="li"><a href="#typical_vulnerability_example">Typical Vulnerability Example</a></div></li> <li class="level3"><div class="li"><a href="#prevent_csrf">Prevent CSRF</a></div></li> </ul> </li> <li class="level2"><div class="li"><a href="#remote_code_inclusion">Remote Code Inclusion</a></div></li> <li class="level2"><div class="li"><a href="#information_leaks">Information leaks</a></div></li> <li class="level2"><div class="li"><a href="#sql_injection">SQL injection</a></div></li> <li class="level2"><div class="li"><a href="#reporting_security_issues">Reporting Security Issues</a></div></li> </ul></li> </ul> </div> </div> <!-- TOC END --> <h1 class="sectionedit1" id="security_guidelines_for_plugin_authors">Security Guidelines for Plugin Authors</h1> <div class="level1"> <p> Creating <a href="/plugins" class="wikilink1" title="plugins" data-wiki-id="plugins">plugins</a> for DokuWiki is very easy even for novice PHP <a href="/devel:plugins" class="wikilink1" title="devel:plugins" data-wiki-id="devel:plugins">programmers</a>. To make sure your plugin does not compromise the security of the whole wiki it is installed on, you should follow the guidelines outlined on this page. </p> <p> <img src="/lib/images/smileys/exclaim.svg" class="icon smiley" alt=":!:" /> Improvement of this page is always welcome. It's in a very raw state and should be extended with more indepth info, links and examples. </p> </div> <h4 id="summary">Summary</h4> <div class="level4"> <p> A list of the most common security issues and how to avoid them can be found on this page. A short summary: </p> <ul> <li class="level1"><div class="li"> Cross Site Scripting (XSS) – inserts malicious code into website to manipulate site in browser of user</div> </li> <li class="level1"><div class="li"> Cross Site Request Forgery (CSRF) – tricks to let you do unknowingly harmful actions on your site </div> </li> <li class="level1"><div class="li"> Remote Code Inclusion – includes code on server that's executed there</div> </li> <li class="level1"><div class="li"> Information leaks – there is too much information shown</div> </li> <li class="level1"><div class="li"> SQL injection – one can do unwanted requests on your data</div> </li> </ul> <p> Also there is added a note about <a href="#reporting_security_issues" title="devel:security ↵" class="wikilink1">reporting Security Issues</a>. </p> </div> <div class="secedit editbutton_section editbutton_1"><form class="button btn_secedit" method="post" action="/devel:security"><div class="no"><input type="hidden" name="do" value="edit" /><input type="hidden" name="rev" value="1736757858" /><input type="hidden" name="summary" value="[Security Guidelines for Plugin Authors] " /><input type="hidden" name="target" value="section" /><input type="hidden" name="hid" value="security_guidelines_for_plugin_authors" /><input type="hidden" name="codeblockOffset" value="0" /><input type="hidden" name="range" value="1-1049" /><button type="submit" title="Security Guidelines for Plugin Authors">Edit</button></div></form></div> <h2 class="sectionedit2" id="cross_site_scripting_xss">Cross Site Scripting (XSS)</h2> <div class="level2"> <p> This is probably the most common vulnerability to be found in DokuWiki plugins. </p> <p> Cross Site Scripting refers to an attack where malicious JavaScript code is introduced into a website. This can be used to redirect innocent users to malicious websites or to steal authentication cookies. </p> <p> DokuWiki's plugin mechanism gives plugin developers a great deal of flexibility. In the case of syntax plugins in particular, the framework gives plugins the ability to work with raw unprocessed output. This means the wiki page data which reaches your plugin has not been processed at all. And there will be no further processing on the output after it leaves your plugin. </p> </div> <h4 id="escaping_output">Escaping output</h4> <div class="level4"> <p> At an absolute minimum the plugin should ensure any raw data output has all <abbr title="HyperText Markup Language">HTML</abbr> special characters converted to <abbr title="HyperText Markup Language">HTML</abbr> entities using the <a href="https://secure.php.net/htmlspecialchars()" class="interwiki iw_phpfn" title="https://secure.php.net/htmlspecialchars()">htmlspecialchars()</a> function. DokuWiki provides a convenient shortcut called <a href="https://codesearch.dokuwiki.org/search?project=dokuwiki&defs=hsc&path=" class="interwiki plugin_xref" title="search definitions for hsc()">hsc()</a> for the function. URLs values should be escaped using <a href="https://secure.php.net/rawurlencode()" class="interwiki iw_phpfn" title="https://secure.php.net/rawurlencode()">rawurlencode()</a>. </p> <p> Also any wiki data extracted and used internally (eg. user names) should be treated with suspicion. </p> </div> <h4 id="input_checking">Input checking</h4> <div class="level4"> <p> Check always all your input. Use whitelists, filters, conversions to the exact data type you mean e.g. from a number inputted as mixed php value to integer and more to ensure you have <em class="u">only</em> data you allowed. </p> <p> Please also refer to our chapter on processing <a href="/devel:request_vars" class="wikilink1" title="devel:request_vars" data-wiki-id="devel:request_vars">request vars</a> like <code>_GET</code>, <code>_POST</code> or <code>_SERVER</code>. </p> </div> <h5 id="see_also">See also:</h5> <div class="level5"> <ul> <li class="level1"><div class="li"> <a href="https://en.wikipedia.org/wiki/Cross-site scripting" class="interwiki iw_wp" title="https://en.wikipedia.org/wiki/Cross-site scripting">Cross-site scripting</a></div> </li> <li class="level1"><div class="li"> <a href="http://ha.ckers.org/xss.html" class="urlextern" title="http://ha.ckers.org/xss.html">XSS Cheat Sheet</a></div> </li> </ul> </div> <div class="secedit editbutton_section editbutton_2"><form class="button btn_secedit" method="post" action="/devel:security"><div class="no"><input type="hidden" name="do" value="edit" /><input type="hidden" name="rev" value="1736757858" /><input type="hidden" name="summary" value="[Cross Site Scripting (XSS)] " /><input type="hidden" name="target" value="section" /><input type="hidden" name="hid" value="cross_site_scripting_xss" /><input type="hidden" name="codeblockOffset" value="0" /><input type="hidden" name="range" value="1050-2633" /><button type="submit" title="Cross Site Scripting (XSS)">Edit</button></div></form></div> <h3 class="sectionedit3" id="typical_vulnerability_examples">Typical Vulnerability Examples</h3> <div class="level3"> <p> Below are some very common problems shown. The examples are very simple to make the general problem clear. Your plugin is probably more complicated, but you need to keep track of the same vulnerabilities. </p> </div> <h4 id="syntax_bodies">Syntax Bodies</h4> <div class="level4"> <p> Many simple syntax plugins will take some user input and format it in custom <abbr title="HyperText Markup Language">HTML</abbr>. </p> <p> Example: Here is a abridged syntax plugin to wrap a given input in a bold tag. </p> <pre class="code php"><span class="kw2">class</span> syntax_plugin_bold <span class="kw2">extends</span> DokuWiki_Syntax_Plugin <span class="br0">{</span> <span class="co1">// common plugin functions ommited</span> <span class="kw2">public</span> <span class="kw2">function</span> connectTo<span class="br0">(</span><span class="re0">$mode</span><span class="br0">)</span> <span class="br0">{</span> <span class="re0">$this</span><span class="sy0">-></span><span class="me1">Lexer</span><span class="sy0">-></span><span class="me1">addSpecialPattern</span><span class="br0">(</span><span class="st_h">'!!!.*?!!!'</span><span class="sy0">,</span> <span class="re0">$mode</span><span class="sy0">,</span> <span class="st_h">'plugin_bold'</span><span class="br0">)</span><span class="sy0">;</span> <span class="br0">}</span> <span class="kw2">public</span> <span class="kw2">function</span> handle<span class="br0">(</span><span class="re0">$match</span><span class="sy0">,</span> <span class="re0">$state</span><span class="sy0">,</span> <span class="re0">$pos</span><span class="sy0">,</span> Doku_Handler <span class="re0">$handler</span><span class="br0">)</span><span class="br0">{</span> <span class="kw1">return</span> <span class="br0">[</span>substring<span class="br0">(</span><span class="re0">$match</span><span class="sy0">,</span> <span class="nu0">3</span><span class="sy0">,</span> <span class="sy0">-</span><span class="nu0">3</span><span class="br0">)</span><span class="br0">]</span><span class="sy0">;</span> <span class="br0">}</span> <span class="kw2">public</span> <span class="kw2">function</span> render<span class="br0">(</span><span class="re0">$format</span><span class="sy0">,</span> Doku_Renderer <span class="re0">$renderer</span><span class="sy0">,</span> <span class="re0">$data</span><span class="br0">)</span> <span class="br0">{</span> <span class="kw1">if</span><span class="br0">(</span><span class="re0">$format</span> <span class="sy0">!=</span> <span class="st_h">'xhtml'</span><span class="br0">)</span> <span class="kw1">return</span> <span class="kw4">false</span><span class="sy0">;</span> <span class="re0">$renderer</span><span class="sy0">-></span><span class="me1">doc</span> <span class="sy0">.=</span> <span class="st_h">'<b>'</span> <span class="sy0">.</span> <span class="re0">$data</span><span class="br0">[</span><span class="nu0">0</span><span class="br0">]</span> <span class="sy0">.</span> <span class="st_h">'</b>'</span><span class="sy0">;</span> <span class="co1">// no escaping</span> <span class="br0">}</span> <span class="br0">}</span></pre> <p> As you can see, the raw input data captured in the lexer pattern is just passed on to the render method, where no escaping at all is done. Malicious users could introduce what ever JavaScript and <abbr title="HyperText Markup Language">HTML</abbr> code they want. </p> <p> The fix is simple: proper escaping. </p> <pre class="code php"><span class="kw2">class</span> syntax_plugin_bold <span class="kw2">extends</span> DokuWiki_Syntax_Plugin <span class="br0">{</span> <span class="co1">// common plugin functions ommited</span> <span class="kw2">public</span> <span class="kw2">function</span> connectTo<span class="br0">(</span><span class="re0">$mode</span><span class="br0">)</span> <span class="br0">{</span> <span class="re0">$this</span><span class="sy0">-></span><span class="me1">Lexer</span><span class="sy0">-></span><span class="me1">addSpecialPattern</span><span class="br0">(</span><span class="st_h">'!!!.*?!!!'</span><span class="sy0">,</span> <span class="re0">$mode</span><span class="sy0">,</span> <span class="st_h">'plugin_bold'</span><span class="br0">)</span><span class="sy0">;</span> <span class="br0">}</span> <span class="kw2">public</span> <span class="kw2">function</span> handle<span class="br0">(</span><span class="re0">$match</span><span class="sy0">,</span> <span class="re0">$state</span><span class="sy0">,</span> <span class="re0">$pos</span><span class="sy0">,</span> Doku_Handler <span class="re0">$handler</span><span class="br0">)</span><span class="br0">{</span> <span class="kw1">return</span> <span class="br0">[</span>substring<span class="br0">(</span><span class="re0">$match</span><span class="sy0">,</span> <span class="nu0">3</span><span class="sy0">,</span> <span class="sy0">-</span><span class="nu0">3</span><span class="br0">)</span><span class="br0">]</span><span class="sy0">;</span> <span class="br0">}</span> <span class="kw2">public</span> <span class="kw2">function</span> render<span class="br0">(</span><span class="re0">$format</span><span class="sy0">,</span> Doku_Renderer <span class="re0">$renderer</span><span class="sy0">,</span> <span class="re0">$data</span><span class="br0">)</span> <span class="br0">{</span> <span class="kw1">if</span><span class="br0">(</span><span class="re0">$format</span> <span class="sy0">!=</span> <span class="st_h">'xhtml'</span><span class="br0">)</span> <span class="kw1">return</span> <span class="kw4">false</span><span class="sy0">;</span> <span class="re0">$renderer</span><span class="sy0">-></span><span class="me1">doc</span> <span class="sy0">.=</span> <span class="st_h">'<b>'</span> <span class="sy0">.</span> <a href="http://www.php.net/htmlspecialchars"><span class="kw3">htmlspecialchars</span></a><span class="br0">(</span><span class="re0">$data</span><span class="br0">[</span><span class="nu0">0</span><span class="br0">]</span><span class="br0">)</span> <span class="sy0">.</span> <span class="st_h">'</b>'</span><span class="sy0">;</span> <span class="co1">//escaping</span> <span class="br0">}</span> <span class="br0">}</span></pre> </div> <h4 id="forms">Forms</h4> <div class="level4"> <p> When your plugin provides a form it is very common to validate the input and redisplay the form with the received user input when a validation error occurs. </p> <p> Example: The following shows a form vulnerable to an XSS attack because it does not escape the user provided input correctly: </p> <pre class="code php"><form action="" method="post"> <input type="text" name="q" value="<span class="kw2"><?php</span> <span class="kw1">echo</span> <span class="re0">$_REQUEST</span><span class="br0">[</span><span class="st_h">'q'</span><span class="br0">]</span><span class="sy1">?></span>" /> <input type="submit" /> //no escaping </form></pre> <p> Providing <code>"><script>alert('bang')</script></code> as user input would exploit the vulnerability. </p> <p> To fix the form use the <a href="https://secure.php.net/htmlspecialchars" class="interwiki iw_phpfn" title="https://secure.php.net/htmlspecialchars">htmlspecialchars()</a> or DokuWiki shortcut <a href="https://codesearch.dokuwiki.org/search?project=dokuwiki&defs=hsc&path=" class="interwiki plugin_xref" title="search definitions for hsc">hsc()</a> function: </p> <pre class="code php"><form action="" method="post"> <input type="text" name="q" value="<span class="kw2"><?php</span> <span class="kw1">echo</span> hsc<span class="br0">(</span><span class="re0">$_REQUEST</span><span class="br0">[</span><span class="st_h">'q'</span><span class="br0">]</span><span class="br0">)</span><span class="sy1">?></span>" /> <input type="submit" /> //escaping </form></pre> <p> In general it is recommended to not hand-craft forms, but use DokuWiki's <a href="/devel:form" class="wikilink1" title="devel:form" data-wiki-id="devel:form">form library</a>. </p> </div> <h4 id="classes_and_other_attributes">Classes and other Attributes</h4> <div class="level4"> <p> Often plugins will accept multiple parameters and options that are used to modify the output of the plugin. </p> <p> Imagine a plugin accepting the following input to display a message box: </p> <pre class="code"><msg warning>Do not believe anything!</msg></pre> <p> In the render method of this syntax there might be code like this: </p> <pre class="code php"><span class="re0">$renderer</span><span class="sy0">-></span><span class="me1">doc</span> <span class="sy0">.=</span> <span class="st_h">'<div class="msg_'</span> <span class="sy0">.</span> <span class="re0">$class</span> <span class="sy0">.</span> <span class="st_h">'">'</span> <span class="co1">//$class can be everything</span> <span class="sy0">.</span> <a href="http://www.php.net/htmlspecialchars"><span class="kw3">htmlspecialchars</span></a><span class="br0">(</span><span class="re0">$message</span><span class="br0">)</span> <span class="sy0">.</span> <span class="st_h">'</div>'</span><span class="sy0">;</span> </pre> <p> As you can see the message itself is properly escaped, but the class is not. Instead of escaping it might be more sensible to use a whitelist of allowed classes instead with a default fallback: </p> <pre class="code php"><span class="re0">$allowed</span> <span class="sy0">=</span> <span class="br0">[</span><span class="st_h">'notice'</span><span class="sy0">,</span> <span class="st_h">'info'</span><span class="sy0">,</span> <span class="st_h">'warning'</span><span class="sy0">,</span> <span class="st_h">'error'</span><span class="br0">]</span><span class="sy0">;</span> <span class="co1">// whitelist</span> <span class="kw1">if</span><span class="br0">(</span><span class="sy0">!</span><a href="http://www.php.net/in_array"><span class="kw3">in_array</span></a><span class="br0">(</span><span class="re0">$class</span><span class="sy0">,</span> <span class="re0">$allowed</span><span class="br0">)</span><span class="br0">{</span> <span class="re0">$class</span> <span class="sy0">=</span> <span class="st_h">'notice'</span><span class="sy0">;</span> <span class="co1">// unknown input, fall back to a sane default</span> <span class="br0">}</span> <span class="re0">$renderer</span><span class="sy0">-></span><span class="me1">doc</span> <span class="sy0">.=</span> <span class="st_h">'<div class="msg_'</span> <span class="sy0">.</span> <span class="re0">$class</span> <span class="sy0">.</span> <span class="st_h">'">'</span> <span class="sy0">.</span> <a href="http://www.php.net/htmlspecialchars"><span class="kw3">htmlspecialchars</span></a><span class="br0">(</span><span class="re0">$message</span><span class="br0">)</span> <span class="sy0">.</span> <span class="st_h">'</div>'</span><span class="sy0">;</span></pre> </div> <h4 id="input_urls">input URLs</h4> <div class="level4"> <p> When a plugin accepts URLs as input you need to make sure, users can not pass the <code>javascript://</code> pseudo protocol. </p> <p> Here is an example how a very simple check could look like, to make sure only http and https URLs are used. </p> <pre class="code php"><span class="co1">// empty URL on protocol mismatch</span> <span class="kw1">if</span><span class="br0">(</span><span class="sy0">!</span><a href="http://www.php.net/preg_match"><span class="kw3">preg_match</span></a><span class="br0">(</span><span class="st_h">'/^https?:\/\//i'</span><span class="sy0">,</span> <span class="re0">$url</span><span class="br0">)</span><span class="br0">)</span> <span class="br0">{</span> <span class="re0">$url</span> <span class="sy0">=</span> <span class="st_h">''</span><span class="sy0">;</span> <span class="br0">}</span></pre> </div> <div class="secedit editbutton_section editbutton_3"><form class="button btn_secedit" method="post" action="/devel:security"><div class="no"><input type="hidden" name="do" value="edit" /><input type="hidden" name="rev" value="1736757858" /><input type="hidden" name="summary" value="[Typical Vulnerability Examples] " /><input type="hidden" name="target" value="section" /><input type="hidden" name="hid" value="typical_vulnerability_examples" /><input type="hidden" name="codeblockOffset" value="0" /><input type="hidden" name="range" value="2634-6937" /><button type="submit" title="Typical Vulnerability Examples">Edit</button></div></form></div> <h2 class="sectionedit4" id="cross_site_request_forgery_csrf">Cross Site Request Forgery (CSRF)</h2> <div class="level2"> <p> This vulnerability often appears into plugins due to the lack of understanding of this issue, often confused with the XSS. </p> <p> Cross Site Request Forgery refers to an attack where the victim's browser is tricked by a malicious site to ask for a page on a vulnerable site to do an unwanted action. The attack assumes the victim's browser has credentials to change something on the vulnerable site. </p> </div> <h4 id="adding_security_token">Adding security token</h4> <div class="level4"> <p> DokuWiki offers functions to help you deal against CSRF attacks. <a href="https://codesearch.dokuwiki.org/search?project=dokuwiki&defs=getSecurityToken&path=" class="interwiki plugin_xref" title="view definition for getSecurityToken()">getSecurityToken()</a> will create a token that should be used to protect any authenticated action. It has to be included in links or forms triggering that action. All forms created with the <a href="/devel:form" class="wikilink1" title="devel:form" data-wiki-id="devel:form">form library</a> will have security tokens added automatically, for handcrafted forms the <a href="https://codesearch.dokuwiki.org/search?project=dokuwiki&defs=formSecurityToken&path=" class="interwiki plugin_xref" title="view definition for formSecurityToken()">formSecurityToken()</a> function can be used. </p> <p> It is your resposibility as the plugin author to actually check the token before executing authorized actions using the <a href="https://codesearch.dokuwiki.org/search?project=dokuwiki&defs=checkSecurityToken&path=" class="interwiki plugin_xref" title="view definition for checkSecurityToken()">checkSecurityToken()</a> function. </p> </div> <h5 id="see_also1">See also</h5> <div class="level5"> <ul> <li class="level1"><div class="li"> <a href="https://en.wikipedia.org/wiki/Cross Site Request Forgery" class="interwiki iw_wp" title="https://en.wikipedia.org/wiki/Cross Site Request Forgery">Cross Site Request Forgery</a></div> </li> <li class="level1"><div class="li"> <a href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29" class="urlextern" title="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29">OWASP explanation</a></div> </li> </ul> </div> <div class="secedit editbutton_section editbutton_4"><form class="button btn_secedit" method="post" action="/devel:security"><div class="no"><input type="hidden" name="do" value="edit" /><input type="hidden" name="rev" value="1736757858" /><input type="hidden" name="summary" value="[Cross Site Request Forgery (CSRF)] " /><input type="hidden" name="target" value="section" /><input type="hidden" name="hid" value="cross_site_request_forgery_csrf" /><input type="hidden" name="codeblockOffset" value="8" /><input type="hidden" name="range" value="6938-8127" /><button type="submit" title="Cross Site Request Forgery (CSRF)">Edit</button></div></form></div> <h3 class="sectionedit5" id="typical_vulnerability_example">Typical Vulnerability Example</h3> <div class="level3"> <p> Below is the simplest example to start. You may have a more complicated plugin of your own to secure, here is just a simple example based on form. </p> <p> Imagine you want to know something which can be answered to Yes or No, you would have a form of this type: </p> <pre class="code html4strict"><span class="sc2"><<a href="http://december.com/html/4/element/form.html"><span class="kw2">form</span></a> <span class="kw3">action</span><span class="sy0">=</span><span class="st0">""</span> <span class="kw3">method</span><span class="sy0">=</span><span class="st0">"GET"</span>></span> <span class="sc2"><<a href="http://december.com/html/4/element/input.html"><span class="kw2">input</span></a> <span class="kw3">type</span><span class="sy0">=</span><span class="st0">"radio"</span> <span class="kw3">name</span><span class="sy0">=</span><span class="st0">"yn"</span> <span class="kw3">value</span><span class="sy0">=</span><span class="st0">"Yes"</span> <span class="sy0">/</span>></span> <span class="sc2"><<a href="http://december.com/html/4/element/input.html"><span class="kw2">input</span></a> <span class="kw3">type</span><span class="sy0">=</span><span class="st0">"radio"</span> <span class="kw3">name</span><span class="sy0">=</span><span class="st0">"yn"</span> <span class="kw3">value</span><span class="sy0">=</span><span class="st0">"No"</span> <span class="sy0">/</span>></span> <span class="sc2"><<a href="http://december.com/html/4/element/input.html"><span class="kw2">input</span></a> <span class="kw3">type</span><span class="sy0">=</span><span class="st0">"submit"</span> <span class="kw3">value</span><span class="sy0">=</span><span class="st0">"Answer"</span> <span class="sy0">/</span>></span> <span class="sc2"><<span class="sy0">/</span><a href="http://december.com/html/4/element/form.html"><span class="kw2">form</span></a>></span></pre> <p> Then you process this form as follows: </p> <pre class="code php"><span class="kw2">global</span> <span class="re0">$INPUT</span><span class="sy0">;</span> <span class="kw1">if</span><span class="br0">(</span><span class="re0">$INPUT</span><span class="sy0">-></span><span class="me1">get</span><span class="sy0">-></span><span class="me1">has</span><span class="br0">(</span><span class="st_h">'yn'</span><span class="br0">)</span><span class="br0">)</span><span class="br0">{</span> do_something_with_yn<span class="br0">(</span><span class="re0">$INPUT</span><span class="sy0">-></span><span class="me1">get</span><span class="sy0">-></span><span class="me1">str</span><span class="br0">(</span><span class="st_h">'yn'</span><span class="br0">)</span><span class="br0">)</span><span class="sy0">;</span> <span class="br0">}</span></pre> <p> So a user is connected to answer this question, but he doesn't know the response yet. Let's take time to think and browse the web… Now the user is visiting a malicious website, one which know, or not, that the user may be connected to your DokuWiki. In this website, the developer included this <abbr title="HyperText Markup Language">HTML</abbr> image tag: </p> <pre class="code html4strict"><span class="sc2"><<a href="http://december.com/html/4/element/img.html"><span class="kw2">img</span></a> <span class="kw3">src</span><span class="sy0">=</span><span class="st0">"http://your.dokuwi.ki/formpage?yn=Yes"</span> <span class="sy0">/</span>></span></pre> <p> What will the user's browser do then? </p> <p> The browser will process this image as any other and will send a request to this <abbr title="Uniform Resource Locator">URL</abbr>. Your plugin will then see that <code>$_GET['yn']</code> is set and will call the <code>do_something_with_yn()</code> function. </p> <p> That's one of the examples of CSRF. Now, how to fix this security hole? </p> </div> <div class="secedit editbutton_section editbutton_5"><form class="button btn_secedit" method="post" action="/devel:security"><div class="no"><input type="hidden" name="do" value="edit" /><input type="hidden" name="rev" value="1736757858" /><input type="hidden" name="summary" value="[Typical Vulnerability Example] " /><input type="hidden" name="target" value="section" /><input type="hidden" name="hid" value="typical_vulnerability_example" /><input type="hidden" name="codeblockOffset" value="8" /><input type="hidden" name="range" value="8128-9474" /><button type="submit" title="Typical Vulnerability Example">Edit</button></div></form></div> <h3 class="sectionedit6" id="prevent_csrf">Prevent CSRF</h3> <div class="level3"> <p> Remember your form above? Let's add an input in it: </p> <pre class="code html4strict"><span class="sc2"><<a href="http://december.com/html/4/element/form.html"><span class="kw2">form</span></a> <span class="kw3">action</span><span class="sy0">=</span><span class="st0">""</span> <span class="kw3">method</span><span class="sy0">=</span><span class="st0">"GET"</span>></span> <span class="sc2"><<a href="http://december.com/html/4/element/input.html"><span class="kw2">input</span></a> <span class="kw3">type</span><span class="sy0">=</span><span class="st0">"hidden"</span> <span class="kw3">name</span><span class="sy0">=</span><span class="st0">"sectok"</span> <span class="kw3">value</span><span class="sy0">=</span><span class="st0">"<?php getSecurityToken(); ?></span></span>" /> <span class="sc2"><<a href="http://december.com/html/4/element/input.html"><span class="kw2">input</span></a> <span class="kw3">type</span><span class="sy0">=</span><span class="st0">"radio"</span> <span class="kw3">name</span><span class="sy0">=</span><span class="st0">"yn"</span> <span class="kw3">value</span><span class="sy0">=</span><span class="st0">"Yes"</span> <span class="sy0">/</span>></span> <span class="sc2"><<a href="http://december.com/html/4/element/input.html"><span class="kw2">input</span></a> <span class="kw3">type</span><span class="sy0">=</span><span class="st0">"radio"</span> <span class="kw3">name</span><span class="sy0">=</span><span class="st0">"yn"</span> <span class="kw3">value</span><span class="sy0">=</span><span class="st0">"No"</span> <span class="sy0">/</span>></span> <span class="sc2"><<a href="http://december.com/html/4/element/input.html"><span class="kw2">input</span></a> <span class="kw3">type</span><span class="sy0">=</span><span class="st0">"submit"</span> <span class="kw3">value</span><span class="sy0">=</span><span class="st0">"Answer"</span> <span class="sy0">/</span>></span> <span class="sc2"><<span class="sy0">/</span><a href="http://december.com/html/4/element/form.html"><span class="kw2">form</span></a>></span></pre> <p> Do you see the first input? Yes? Good. Now you have to check the security token when you receive the form, before processing it: </p> <pre class="code php"><span class="kw2">global</span> <span class="re0">$INPUT</span><span class="sy0">;</span> <span class="kw1">if</span><span class="br0">(</span><span class="re0">$INPUT</span><span class="sy0">-></span><span class="me1">get</span><span class="sy0">-></span><span class="me1">has</span><span class="br0">(</span><span class="st_h">'yn'</span><span class="br0">)</span> <span class="sy0">&&</span> checkSecurityToken<span class="br0">(</span><span class="br0">)</span><span class="br0">)</span> <span class="br0">{</span> do_something_with_yn<span class="br0">(</span><span class="re0">$INPUT</span><span class="sy0">-></span><span class="me1">get</span><span class="sy0">-></span><span class="me1">str</span><span class="br0">(</span><span class="st_h">'yn'</span><span class="br0">)</span><span class="br0">)</span><span class="sy0">;</span> <span class="br0">}</span></pre> <p> As the malicious website will never find the value of the “sectok” hidden input, your form is no longer vulnerable to CSRF. </p> <p> <strong>Note:</strong> If the security token is not valid, the <code>checkSecurityToken()</code> function displays a message which informs the user. </p> </div> <div class="secedit editbutton_section editbutton_6"><form class="button btn_secedit" method="post" action="/devel:security"><div class="no"><input type="hidden" name="do" value="edit" /><input type="hidden" name="rev" value="1736757858" /><input type="hidden" name="summary" value="[Prevent CSRF] " /><input type="hidden" name="target" value="section" /><input type="hidden" name="hid" value="prevent_csrf" /><input type="hidden" name="codeblockOffset" value="11" /><input type="hidden" name="range" value="9475-10355" /><button type="submit" title="Prevent CSRF">Edit</button></div></form></div> <h2 class="sectionedit7" id="remote_code_inclusion">Remote Code Inclusion</h2> <div class="level2"> <p> This attack allows an attacker to inject (PHP) code into your application. This may occur on including files, or using unsafe operations functions like <a href="https://secure.php.net/eval()" class="interwiki iw_phpfn" title="https://secure.php.net/eval()">eval()</a> or <a href="https://secure.php.net/system()" class="interwiki iw_phpfn" title="https://secure.php.net/system()">system()</a>. </p> <p> <strong>Always filter any input</strong> that will be used to load files or that is passed as an argument to external commands. </p> </div> <div class="secedit editbutton_section editbutton_7"><form class="button btn_secedit" method="post" action="/devel:security"><div class="no"><input type="hidden" name="do" value="edit" /><input type="hidden" name="rev" value="1736757858" /><input type="hidden" name="summary" value="[Remote Code Inclusion] " /><input type="hidden" name="target" value="section" /><input type="hidden" name="hid" value="remote_code_inclusion" /><input type="hidden" name="codeblockOffset" value="13" /><input type="hidden" name="range" value="10356-10699" /><button type="submit" title="Remote Code Inclusion">Edit</button></div></form></div> <h2 class="sectionedit8" id="information_leaks">Information leaks</h2> <div class="level2"> <p> This attack may lead to the exposure of files that should usually be protected by DokuWiki's <abbr title="Access Control List">ACL</abbr> or it might expose files on the server (like <code>/etc/passwd</code>). </p> <p> <strong>Always filter any input</strong> that will be used to load files or that is passed as an argument to external commands. </p> <p> <strong>Always use DokuWiki's <abbr title="Access Control List">ACL</abbr> check functions when accessing page data</strong>. </p> </div> <div class="secedit editbutton_section editbutton_8"><form class="button btn_secedit" method="post" action="/devel:security"><div class="no"><input type="hidden" name="do" value="edit" /><input type="hidden" name="rev" value="1736757858" /><input type="hidden" name="summary" value="[Information leaks] " /><input type="hidden" name="target" value="section" /><input type="hidden" name="hid" value="information_leaks" /><input type="hidden" name="codeblockOffset" value="13" /><input type="hidden" name="range" value="10700-11080" /><button type="submit" title="Information leaks">Edit</button></div></form></div> <h2 class="sectionedit9" id="sql_injection">SQL injection</h2> <div class="level2"> <p> This attack is rarely relevant in DokuWiki because no database is used. However if your plugin accesses a database always escape all values before using them in SQL statements. </p> <p> More info: </p> <ul> <li class="level1"><div class="li"> <a href="https://en.wikipedia.org/wiki/SQL injection" class="interwiki iw_wp" title="https://en.wikipedia.org/wiki/SQL injection">SQL injection</a></div> </li> </ul> </div> <div class="secedit editbutton_section editbutton_9"><form class="button btn_secedit" method="post" action="/devel:security"><div class="no"><input type="hidden" name="do" value="edit" /><input type="hidden" name="rev" value="1736757858" /><input type="hidden" name="summary" value="[SQL injection] " /><input type="hidden" name="target" value="section" /><input type="hidden" name="hid" value="sql_injection" /><input type="hidden" name="codeblockOffset" value="13" /><input type="hidden" name="range" value="11081-11324" /><button type="submit" title="SQL injection">Edit</button></div></form></div> <h2 class="sectionedit10" id="reporting_security_issues">Reporting Security Issues</h2> <div class="level2"> <p> If you encounter an issue with a plugin please inform the author of the plugin via email, optionally putting <a href="mailto:andi%20%5Bat%5D%20splitbrain%20%5Bdot%5D%20org" class="mail" title="andi [at] splitbrain [dot] org">Andi</a> or the <a href="/mailinglist" class="wikilink1" title="mailinglist" data-wiki-id="mailinglist">mailinglist</a> on CC. </p> <p> Additionally a <code>securityissue</code> field with a short description of the problem should be added to the <a href="/plugin:repository" class="wikilink1" title="plugin:repository" data-wiki-id="plugin:repository">data</a> on the page of the plugin. This will create a red warning box and will delist the plugin from the main plugin list. </p> <p> Once the issue was fixed and a new release was made, this field should be removed again. </p> </div> <div class="secedit editbutton_section editbutton_10"><form class="button btn_secedit" method="post" action="/devel:security"><div class="no"><input type="hidden" name="do" value="edit" /><input type="hidden" name="rev" value="1736757858" /><input type="hidden" name="summary" value="[Reporting Security Issues] " /><input type="hidden" name="target" value="section" /><input type="hidden" name="hid" value="reporting_security_issues" /><input type="hidden" name="codeblockOffset" value="13" /><input type="hidden" name="range" value="11325-" /><button type="submit" title="Reporting Security Issues">Edit</button></div></form></div> <!-- wikipage stop --> </div> <div class="docInfo"><bdi>devel/security.txt</bdi> · Last modified: <time datetime="2025-01-13T09:44:18+0100">2025-01-13 09:44</time> by <bdi>2a02:21b4:241d:800:541c:3ef3:be10:3f1e</bdi></div> <hr class="a11y" /> </div></main><!-- /content --> <!-- PAGE ACTIONS --> <nav id="dokuwiki__pagetools" aria-labelledby="dokuwiki__pagetools__heading"> <h3 class="a11y" id="dokuwiki__pagetools__heading">Page Tools</h3> <div class="tools"> <ul> <li class="edit"><a href="/devel:security?do=edit" title="Edit this page [e]" rel="nofollow" accesskey="e"><span>Edit this page</span><svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24"><path d="M20.71 7.04c.39-.39.39-1.04 0-1.41l-2.34-2.34c-.37-.39-1.02-.39-1.41 0l-1.84 1.83 3.75 3.75M3 17.25V21h3.75L17.81 9.93l-3.75-3.75L3 17.25z"/></svg></a></li><li class="revs"><a href="/devel:security?do=revisions" title="Old revisions [o]" rel="nofollow" accesskey="o"><span>Old revisions</span><svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24"><path d="M11 7v5.11l4.71 2.79.79-1.28-4-2.37V7m0-5C8.97 2 5.91 3.92 4.27 6.77L2 4.5V11h6.5L5.75 8.25C6.96 5.73 9.5 4 12.5 4a7.5 7.5 0 0 1 7.5 7.5 7.5 7.5 0 0 1-7.5 7.5c-3.27 0-6.03-2.09-7.06-5h-2.1c1.1 4.03 4.77 7 9.16 7 5.24 0 9.5-4.25 9.5-9.5A9.5 9.5 0 0 0 12.5 2z"/></svg></a></li><li class="backlink"><a href="/devel:security?do=backlink" title="Backlinks" rel="nofollow"><span>Backlinks</span><svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24"><path d="M10.59 13.41c.41.39.41 1.03 0 1.42-.39.39-1.03.39-1.42 0a5.003 5.003 0 0 1 0-7.07l3.54-3.54a5.003 5.003 0 0 1 7.07 0 5.003 5.003 0 0 1 0 7.07l-1.49 1.49c.01-.82-.12-1.64-.4-2.42l.47-.48a2.982 2.982 0 0 0 0-4.24 2.982 2.982 0 0 0-4.24 0l-3.53 3.53a2.982 2.982 0 0 0 0 4.24m2.82-4.24c.39-.39 1.03-.39 1.42 0a5.003 5.003 0 0 1 0 7.07l-3.54 3.54a5.003 5.003 0 0 1-7.07 0 5.003 5.003 0 0 1 0-7.07l1.49-1.49c-.01.82.12 1.64.4 2.43l-.47.47a2.982 2.982 0 0 0 0 4.24 2.982 2.982 0 0 0 4.24 0l3.53-3.53a2.982 2.982 0 0 0 0-4.24.973.973 0 0 1 0-1.42z"/></svg></a></li><li class="top"><a href="#dokuwiki__top" title="Back to top [t]" rel="nofollow" accesskey="t"><span>Back to top</span><svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24"><path d="M13 20h-2V8l-5.5 5.5-1.42-1.42L12 4.16l7.92 7.92-1.42 1.42L13 8v12z"/></svg></a></li> </ul> </div> </nav> </div><!-- /wrapper --> <!-- ********** FOOTER ********** --> <footer id="dokuwiki__footer"><div class="pad"> <div class="license">Except where otherwise noted, content on this wiki is licensed under the following license: <bdi><a href="https://creativecommons.org/licenses/by-sa/4.0/deed.en" rel="license" class="urlextern">CC Attribution-Share Alike 4.0 International</a></bdi></div> <div class="buttons"> <a href="https://creativecommons.org/licenses/by-sa/4.0/deed.en" rel="license"><img src="/lib/images/license/button/cc-by-sa.png" alt="CC Attribution-Share Alike 4.0 International" /></a> <a href="https://www.dokuwiki.org/donate" title="Donate" ><img src="/lib/tpl/dokuwiki/images/button-donate.gif" width="80" height="15" alt="Donate" /></a> <a href="https://php.net" title="Powered by PHP" ><img src="/lib/tpl/dokuwiki/images/button-php.gif" width="80" height="15" alt="Powered by PHP" /></a> <a href="//validator.w3.org/check/referer" title="Valid HTML5" ><img src="/lib/tpl/dokuwiki/images/button-html5.png" width="80" height="15" alt="Valid HTML5" /></a> <a href="//jigsaw.w3.org/css-validator/check/referer?profile=css3" title="Valid CSS" ><img src="/lib/tpl/dokuwiki/images/button-css.png" width="80" height="15" alt="Valid CSS" /></a> <a href="https://dokuwiki.org/" title="Driven by DokuWiki" ><img src="/lib/tpl/dokuwiki/images/button-dw.png" width="80" height="15" alt="Driven by DokuWiki" /></a> </div> <div style="margin-top: 2em; font-size:90%" class="dokuwiki"><div style="float:right"><a href="http://www.splitbrain.org/personal#imprint" style="float:right; text-decoration: none; color:#333">Imprint</a></div></div><!-- Include for DokuWiki site wide top bar --> <style type="text/css"> @media screen { body { padding-top: 30px; } #global__header { position: absolute; top: 0; left: 0; text-align: left; vertical-align: middle; line-height: 1.5; background-color: #333; box-shadow: 0 0 8px rgba(0,0,0,0.5); width: 100%; margin: 0; padding: 5px 20px; -moz-box-sizing: border-box; -webkit-box-sizing: border-box; box-sizing: border-box; white-space: nowrap; overflow: hidden; } #global__header h2 { position: absolute; left: -99999em; top: 0; overflow: hidden; display: inline; } #global__header ul, #global__header li { margin: 0; padding: 0; list-style: none; display: inline; line-height: 1.5; } #global__header a { color: #bbb; text-decoration: none; margin-right: 20px; font-size: 14px; font-weight: normal; } #global__header a:hover, #global__header a:active, #global__header a:focus { color: #fff; text-decoration: underline; } #global__header form { float: right; margin: 0 0 0 20px; } #global__header input { background-color: #333; background-image: none; border: 1px solid #bbb; color: #fff; box-shadow: none; border-radius: 2px; margin: 0; line-height: normal; padding: 1px 0 1px 0; height: auto; } #global__header input.button { border: none; color: #bbb; } #global__header input.button:hover, #global__header input.button:active, #global__header input.button:focus { color: #fff; text-decoration: underline; } } /* /@media */ @media only screen and (min-width: 601px) { /* changes specific for www.dokuwiki.org */ #dokuwiki__header { padding-top: 3em; } #dokuwiki__usertools { top: 3em; } /* changes specific for bugs.dokuwiki.org */ div#container div#showtask { top: 40px; } } /* /@media */ @media only screen and (max-width: 600px) { body { padding-top: 0; } #global__header { position: static; white-space: normal; overflow: auto; } #global__header form { float: none; display: block; margin: 0 0 .4em; } } /* /@media */ @media print { #global__header { display: none; } } /* /@media */ </style> <div id="global__header"> <h2>Global DokuWiki Links</h2> <form method="get" action="https://search.dokuwiki.org/" target="_top"> <input type="text" name="q" title="Search all DokuWiki sites at once" class="input" /> <input type="submit" title="Search all DokuWiki sites at once" value="Search" class="button" /> </form> <ul> <li><a href="https://download.dokuwiki.org" title="Download the latest release" target="_top">Download</a></li> <li><a href="https://www.dokuwiki.org" title="Read the DokuWiki documentation" target="_top">Wiki</a></li> <li><a href="https://forum.dokuwiki.org" title="Ask questions in the DokuWiki forum" target="_top">Forum</a></li> <li><a href="https://irc.dokuwiki.org" title="Check IRC chat logs or join the chat" target="_top">IRC</a></li> <li><a href="https://github.com/splitbrain/dokuwiki/issues" title="Report and track bugs" target="_top">Bugs</a></li> <li><a href="https://translate.dokuwiki.org/" title="Help translating the DokuWiki interface" target="_top">Translate</a></li> <li><a href="https://github.com/splitbrain/dokuwiki" title="Access the most recent git commits" target="_top">Git</a></li> <li><a href="https://xref.dokuwiki.org/reference/dokuwiki/" title="Cross-Reference of the DokuWiki source code" target="_top">XRef</a></li> <li><a href="https://codesearch.dokuwiki.org/" title="Search through the sources of DokuWiki, plugins and templates" target="_top">Code Search</a></li> </ul> </div> <!-- end of DokuWiki top bar include --> </div></footer><!-- /footer --> </div></div><!-- /site --> <div class="no"><img src="/lib/exe/taskrunner.php?id=devel%3Asecurity&1742630715" width="2" height="1" alt="" /></div> <div id="screen__mode" class="no"></div></body> </html>