Last edited 5 months ago
by Margit Link-Rodrigue

Manual:Extension/BlueSpiceSocialBlog and Announcement/XSS attack: Difference between pages

(Difference between pages)
VisualWikitext
No edit summary
 
m ((username removed) (log details removed))
 
Line 1: Line 1:
{{DISPLAYTITLE:Blog}}
{{Featurepage|featured=true|featuredesc=Patch Release 4.1.3 contains an important '''security fix''' for a “reflected XSS” attack. <span class="bi bi-exclamation-circle-fill" style="color:orange"></span>|featurestart=04/25/2022}}
==Event==
XSS attack vector in ''mwstake/mediawiki-component-commonuserinterface.'' 


The extension ''BlueSpiceSocialBlog'' is part of ''BlueSpiceSocial'', the communications module of BlueSpice. In addition to the type blog, there are other types of so-called social entities, such as ''comment'', ''discussion topic'', ''attachment'', or ''microblog''.  
== Evaluation of the vulnerability in BlueSpice ==
The value from 'title' parameter get's unsanitized to the output (e.g. in 'list-group-item').


==About the blog==
[[Setup:Release Notes#4.1.3|Patch release 4.1.3]] contains an important security-fix for this attack.
Basically, a blog is a list of comments, questions, or feedback from different users. The blog is often sorted chronologically.  Lively communication can arise when blog entries are further commented, recommended, linked with related articles, or placed on a personal watchlist.
The blog is ready to use on the special page ''Special:Blog''. This page is linked directly from the main navigation in every new wiki installation. So you can start using the blog right away.  
[[File:nav-blog.png|alt=Navigation link to the blog page|center|thumb|202x202px|Navigation link to the blog page]]  


== Characteristics and features ==
The [[Security:Security_Advisories/BSSA-2022-02|corresponding CVE entry]] is still pending and will be published soon. It is highly recommended that all users update their installation of BlueSpice 4 as soon as possible.


* A blog entry consists of a title and content.
[[de:Meldung/XSS attack]]
 
[[en:{{FULLPAGENAME}}]]
* '''Comments:''' Users can leave comments to each blog entry.
 
* '''Actions:'''
** '''Delete:''' Editors can delete their own posts. Administrators can delete all posts. Deleted posts are no longer displayed. Exception: Administrators see deleted items with a red background and can restore them.
** '''Recommend:''' Blog posts can be recommended. It is possible to generate a list of posts with the most recommendations via the timeline filter. (See: Embedding the blog on a page)
** '''Linked page:''' Every blog entry is connected to a wiki page by the system. By default, this is the main page of the wiki. However, other pages can be added as "Linked page". Blog entries can then be filtered for linked pages via the ''Special:Timeline'' page.
** '''Watch:''' Own blog posts and comments are automatically added to the watch list.
* '''Permissions:''' It is possible to allow users with read permissions on the wiki to comment on blog entries. See: [[Manual:Extension/BlueSpiceSocial#Permissions|BlueSpiceSocial Permissions]].
 
==Adding the blog to a page==
It is also possible to include the blog functionality on any wiki page. Social contributions of many types can be consolidated and displayed chronologically in a timeline and filtered and sorted as needed.
 
If you want to include a view of your blog on another page of your wiki, for example your homepage, you need to insert the necessary codeblock in the source code of your page.
 
'''To include a blog view:'''
 
#'''Go to''' the page where you want to insert the blog or create a new page.
#'''Open the page'''  in ''Source editing'' mode.
#'''Copy the following code block''' to the section in your page where you want to show the blog.<syntaxhighlight lang="html">
 
<bs:timeline>
{
    "showentitylistmenu": true,
    "preloadtitles": {
        "blog": "Template:Blog"
    },
    "preloadedentities": [{
        "type": "blog"
    }],
    "headlinemessagekey": "Community-Blog",
      "showheadline": true,
    "usemorescroll": false,
    "morelink": "Special:Blog",
    "limit": 5,
    "sort": [ {
        "property": "timestampcreated",
        "direction": "DESC"
    }],
    "lockedfilternames": [
        "type"
    ],
    "filter": [ {
        "type": "list",
        "property": "type",
        "value": [ "blog" ],
        "comparison": "ct"
    }]
}
</bs:timeline>
</syntaxhighlight>After saving the page, you will see a list of existing blog entries based on the filter and sorting criteria you provided.
 
==Blog parameters==
 
===Output format===
The following table shows the blog elements and the necessary paramaters to create the output.
[[File:blog-layout-en.png|alt=Blog output|center|thumb|750x750px|Blog output]]
{| class="wikitable"
|+
!Element
!Parameters
!Parameter and element description
!Type
!Default value
|-
| rowspan="2" |1 - header
|headlinemessagekey
|Header text
|string
|''Timeline''
|-
|showheadline
|Show the header text
|boolean
|''true''
|-
| rowspan="7" |2 - blog menu
|showentitylistmenu
|Show or hide the blog menu
|boolean
|''true''
|-
|showentityspawner
|Show the  menu item for creating a blog entry
|boolean
|''true''
|-
|availablesorterfields
|Determines which data fields are included as sorting options in the sort menu. Example: allow sorting only by date created or by the user who created a blog entry:
<code>"availablesorterfields":["timestampcreated","ownerid"]</code>
 
[[File:Manual:blog-filter-timestampcreated.png|350x350px|link=Special:FilePath/Manual:blog-filter-timestampcreated.png]]
 
[[Manual:Extension/BlueSpiceSocialBlog#Sor|List of typical sort fields]]
|array
|all
|-
|lockedoptionnames
|Determines which settings for sorting the user cannot change.
|array
|[]
|-
|availablefilterfields
|Determines which data fields are included as filter options in the filter menu. Example: allow filtering based on Creation date and Linked pages:
<code>"availablefilterfields":["timestampcreated","tags"]</code>
 
[[File:blog-filter-availablefilterfields.PNG|350x350px|link=Special:FilePath/blog-filter-availablefilterfields.PNG]]
|array
|all
|-
|lockedfilternames
|Determines which settings for filtering the user cannot change.
Example: a user cannot change the filter values for ''Linked pages.'' The text field is greyed out:
 
<code>"lockedfilternames": ["tags"]</code>
 
[[File:Manual:blog-filter-lockedfilternames.png|350x350px|link=Special:FilePath/Manual:blog-filter-lockedfilternames.png]]
<br />
|array
|[]
|-
|persistsettings
|Initial settings and custom sort and filter settings are included in the page url. The url can then be used to create a link to the page with the same filter and sort settings.
<code>"persistsettings":true</code>
 
[[File:Manual:blog-filter-persistsettings.png|link=Special:FilePath/Manual:blog-filter-persistsettings.png]]
|boolean
|''false''
|-
|3 -  new blog entry
|preloadentities<br />
|Shows the text field for creating a new blog entry. If it is not set, the text field is not available.
To show the text field:
 
<code>"preloadedentities": [{"type":"blog"}]</code>
 
[[File:Manual:blog-preloadentities.png|400x400px|link=Special:FilePath/Manual:blog-preloadentities.png]]
|array of objects
| -
|-
| rowspan="2" |4 - existing blog entry
|outputtypes
|It defines the display format of the blog entry.
 
Standard types are: ''List, Short, Default, Page.'' ([[Manual:Extension/BlueSpiceSocialBlog#Output type examples|see examples]])
 
Each blog entry is a "social entity".
|object
|''Default''
|-
|limit
|Defines how many social entities are loaded initially.
|object
|''Default''
|-
|4a - avatar
|<nowiki>-</nowiki>
|Shows the avatar of the user who created the blog entry or comment. It is displayed in all output types except ''List.''
|<nowiki>-</nowiki>
|<nowiki>-</nowiki>
|-
|4b - title bar
|<nowiki>-</nowiki>
|In the output type ''List'', the username is not displayed in the title bar.
|<nowiki>-</nowiki>
|<nowiki>-</nowiki>
|-
|4c - blog entry content
|<nowiki>-</nowiki>
|Shows the text body of a blog entry. The output type ''Default'' collapses the blog entry content after the first paragraph with a "More" link.
|<nowiki>-</nowiki>
|<nowiki>-</nowiki>
|-
|4d - social tags
|<nowiki>-</nowiki>
|Blog entries always include the social tags ''Comments, Recommend, Linked Page, Watch/Unwatch''.
|
|
|-
|4e - user menu
|<nowiki>-</nowiki>
|Users can edit or delete their own blog entries or comments at any time. The edit  menu is visible for their own entries:
[[File:Manual:blog-editmenu.png|200x200px|link=Special:FilePath/Manual:blog-editmenu.png]]
|<nowiki>-</nowiki>
|<nowiki>-</nowiki>
|-
|5 - new comment
|<nowiki>-</nowiki>
|Text field for creating a new comment.
|<nowiki>-</nowiki>
|<nowiki>-</nowiki>
|-
|6 - existing comment
|<nowiki>-</nowiki>
|Comments include the social tag ''Recommend.''
 
Each comment is a "social entity".
|<nowiki>-</nowiki>
|<nowiki>-</nowiki>
|-
| rowspan="3" |7 - "more" button
|morelink
|Link target of the "more" button. For blogs, it makes sense to link to the page ''Special:Blog''.
|str
|''Special:Timeline''
|-
|useendlessscroll
|More blog entries are automatically loaded after the user scrolls to the end of the blog.
|boolean
|''true''
|-
|showentitylistmore
|Shows a "more" button below the blog which loads more blog entries on click. This is only possible if ''useendlessscroll'' is set to ''false''.
|boolean
|''false''
|}
 
===Sorting===
Most commonly, a blog shows the latest blog entries first. However, there are many different options for sorting the list of blog entries.
 
====Syntax====
<syntaxhighlight lang="json">
[{
 
"property": "timestamptouched",
 
"direction": "DESC"
 
}]
</syntaxhighlight>
 
====Properties====
There are some common properties of a blog entry that are useful for sorting:
{| class="wikitable"
|+
!Property
!Description
|-
|timestampcreated
|creation date
|-
|timestamptouched
|last edit date
|-
|commentcount
|number of comments
|-
|ratingcount
|number of ratings
|-
|ownerid
|username of the creator of a blog entry
|-
|ownerrealname
|real name of the user
|}
 
====Direction====
Blog entries can be sorted in descending and ascending order. Descending is the default order.
{| class="wikitable"
|+
!Property
!Description
|-
|DESC
|sorts the blog entries in descending order
|-
|ASC
|sorts the blog entries in ascending order
|}
 
===Filtering===
Without setting the filter parameter, there will be no output on the page.
 
To show the blog entries of your wiki, include the following codeblock like shown in the code example above:<syntaxhighlight lang="json-object">
"filter": [ {
        "type": "list",
        "property": "type",
        "value": [ "blog" ],
        "comparison": "ct"
    }]
</syntaxhighlight>This filter includes all social entities which match the type ''blog''. Since we only want to show social entities of type ''blog'', we only include ''blog'' entries in our filter.
If you want to create a social timeline rather than a blog view, you can also add other types of social entities. The following example shows a timeline view that includes blog entries, discussion entries from wiki pages, and user profile information:<syntaxhighlight lang="json-object">
"filter": [ {
        "type": "list",
        "property": "type",
        "value": ["blog","topic","profile"],
        "comparison": "ct"
    }]
</syntaxhighlight>
 
==Output type examples==
The output type for a blog is added using the ''outputtypes'' parameter. Don't forget to include a comma before and after this parameter (unless this is the last parameter in your code):<syntaxhighlight lang="json-object">
"outputtypes": {
        "blog": "Default"
    }
</syntaxhighlight>
 
===Default===
The output type ''Default'' shows the content of a blog entry truncated after the first paragraph. To view the full text, users can click on the ''More'' link.
[[File:Manual:blog-output-default.png|center|650x650px|link=Special:FilePath/Manual:blog-output-default.png]]
<br />
 
===Short===
The output type ''Short'' does not show the content of the blog entry. To view the content, a user has to click on the title of a blog entry. This loads the actual page for the selected blog entity.
<br />
[[File:Manual:blog-output-short.png|center|650x650px|link=Special:FilePath/Manual:blog-output-short.png]]
<br />
 
===Page===
The output type ''Page'' shows all blog elements, including the comments, in an expanded view.
<br />
[[File:Manual:blog-output-page.png|center|650x650px|link=Special:FilePath/Manual:blog-output-page.png]]
 
===List===
The output type ''List'' only shows the title and the timestamp.
<br />
[[File:Manual:blog-output-list.png|center|link=Special:FilePath/Manual:blog-output-list.png]]
 
 
==Configuration==
 
 
In the [[Manual:Extension/BlueSpiceConfigManager|Config manager]], you can change the following settings:
 
 
{{#dpl:title=Manual:Extension/BlueSpiceConfigManager|include=#BlueSpiceSocialBlog}}
 
 
{{Box Links-en
|Topic1=[[Manual:Extension/BlueSpiceSocialMicroBlog|Micro-Blog]]
|Topic4=[[Manual:Extension/BlueSpiceSocialComments|Social comments]]
|Topic5=[[Manual:Extension/BlueSpiceSocialProfile|User Profile]]
|Topic3=[[Manual:Extension/BlueSpiceSocialTopics|Discussion topics]]
|Topic2=[[Manual:Extension/BlueSpiceSocialWikiPage|Discussions and Attachments]]
|Topic6=[[Manual:Extension/BlueSpiceSocialTags|Linked pages]]
|Topic7=[[Reference:BlueSpiceSocial]]
}}
 
 
{{Translation}}
[[Category:Social]]

Revision as of 12:06, 26 April 2022

Event

XSS attack vector in mwstake/mediawiki-component-commonuserinterface.

Evaluation of the vulnerability in BlueSpice

The value from 'title' parameter get's unsanitized to the output (e.g. in 'list-group-item').

Patch release 4.1.3 contains an important security-fix for this attack.

The corresponding CVE entry is still pending and will be published soon. It is highly recommended that all users update their installation of BlueSpice 4 as soon as possible.

Technical Reference: BlueSpiceSocialBlog


To submit feedback about this documentation, visit our community forum.

Retrieved from "https://en.wiki.bluespice.com/w/index.php?title=Manual:Extension/BlueSpiceSocialBlog&oldid=3339"
No categories assignedEdit

Discussions