This chapter describes how to enable specic protocols, CSS
styles, and HTML tags and attributes.
The default wiki server setup simplies administration by automatically removing
potentially harmful protocols, CSS styles, and HTML tags and attributes. The wiki server
is capable of allowing all protocols, CSS styles, and HTML tags and attributes.
The wiki server uses two whitelist les (a built-in whitelist and a custom whitelist) to
determine allowed protocols, CSS styles, and HTML tags and attributes. Elements that
appear in either of these whitelists are allowed, and all other elements are disallowed.
The built-in whitelist includes common, usually harmless, elements. It doesn’t include
potentially harmful tags like embed, param, object, and script. To embed Flash or
YouTube in your site, you’ll need to include some of these tags. If you create a custom
whitelist, you can allow these elements, along with new styles (such as font-size) and
protocols (such as irc and scp).
These whitelists aect all wikis on the server.
WARNING: Some protocols, HTML tags and attributes can compromise your
server’s security and integrity, or harm users who connect to your server. Make
sure you understand the implications of whatever you enable. For example,
allowing JavaScript introduces security vulnerabilities such as cross-site scripting.
For information about cross-site scripting, see
Allowing Specic Protocols,
CSS Styles, and HTML Tags
and Attributes