colin
/
bookstack
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Added content security section to the api docs 

Related to #3636
This commit is contained in:
Dan Brown 2022-08-11 10:49:45 +01:00
parent 5f7cd735ea
commit e02bd5e57e
No known key found for this signature in database
GPG Key ID: 46D9F943C24A2EF9
3 changed files with 20 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
app/Http/Controllers/Api/PageApiController.php
View File

@ -86,6 +86,9 @@ class PageApiController extends ApiController
* *
* Pages will always have HTML content. They may have markdown content * Pages will always have HTML content. They may have markdown content
* if the markdown editor was used to last update the page. * if the markdown editor was used to last update the page.
*
* See the "Content Security" section of these docs for security considerations when using
* the page content returned from this endpoint.
*/ */
public function read(string $id) public function read(string $id)
{ {

1
resources/views/api-docs/index.blade.php
View File

@ -16,6 +16,7 @@
<div class="mb-xs"><a href="#listing-endpoints">Listing Endpoints</a></div> <div class="mb-xs"><a href="#listing-endpoints">Listing Endpoints</a></div>
<div class="mb-xs"><a href="#error-handling">Error Handling</a></div> <div class="mb-xs"><a href="#error-handling">Error Handling</a></div>
<div class="mb-xs"><a href="#rate-limits">Rate Limits</a></div> <div class="mb-xs"><a href="#rate-limits">Rate Limits</a></div>
<div class="mb-xs"><a href="#content-security">Content Security</a></div>
</div> </div>
@foreach($docs as $model => $endpoints) @foreach($docs as $model => $endpoints)

16
resources/views/api-docs/parts/getting-started.blade.php
View File

@ -179,4 +179,20 @@ API_REQUESTS_PER_MIN=180</code></pre>
It's generally good practice to limit requests made from your API client, where possible, to avoid It's generally good practice to limit requests made from your API client, where possible, to avoid
affecting normal use of the system caused by over-consuming system resources. affecting normal use of the system caused by over-consuming system resources.
Keep in mind there may be other rate-limiting factors such as web-server & firewall controls. Keep in mind there may be other rate-limiting factors such as web-server & firewall controls.
</p>
<hr>
<h5 id="content-security" class="text-mono mb-m">Content Security</h5>
<p>
Many of the available endpoints will return content that has been provided by user input.
Some of this content may be provided in a certain data-format (Such as HTML or Markdown for page content).
Such content is not guaranteed to be safe so keep security in mind when dealing with such user-input.
In some cases, the system will apply some filtering to content in an attempt to prevent certain vulnerabilities, but
this is not assured to be a bullet-proof defence.
</p>
<p>
Within its own interfaces, unless disabled, the system makes use of Content Security Policy (CSP) rules to heavily negate
cross-site scripting vulnerabilities from user content. If displaying user content externally, it's advised you
also use defences such as CSP or the disabling of JavaScript completely.
</p> </p>