Added content security section to the api docs

Related to #3636
2025-04-16 17:47:52 +00:00 · 2022-08-11 10:49:45 +01:00 · 2022-08-11 10:49:45 +01:00 · e02bd5e57e
commit e02bd5e57e
parent 5f7cd735ea
3 changed files with 20 additions and 0 deletions
--- a/app/Http/Controllers/Api/PageApiController.php
+++ b/app/Http/Controllers/Api/PageApiController.php
@ -86,6 +86,9 @@ class PageApiController extends ApiController
     *
     * Pages will always have HTML content. They may have markdown content
     * if the markdown editor was used to last update the page.
+     *
+     * See the "Content Security" section of these docs for security considerations when using
+     * the page content returned from this endpoint.
     */
    public function read(string $id)
    {
--- a/resources/views/api-docs/index.blade.php
+++ b/resources/views/api-docs/index.blade.php
@ -16,6 +16,7 @@
                        <div class="mb-xs"><a href="#listing-endpoints">Listing Endpoints</a></div>
                        <div class="mb-xs"><a href="#error-handling">Error Handling</a></div>
                        <div class="mb-xs"><a href="#rate-limits">Rate Limits</a></div>
+                        <div class="mb-xs"><a href="#content-security">Content Security</a></div>
                    </div>

                    @foreach($docs as $model => $endpoints)
--- a/resources/views/api-docs/parts/getting-started.blade.php
+++ b/resources/views/api-docs/parts/getting-started.blade.php
@ -179,4 +179,20 @@ API_REQUESTS_PER_MIN=180</code></pre>
    It's generally good practice to limit requests made from your API client, where possible, to avoid
    affecting normal use of the system caused by over-consuming system resources.
    Keep in mind there may be other rate-limiting factors such as web-server & firewall controls.
+</p>
+
+<hr>
+
+<h5 id="content-security" class="text-mono mb-m">Content Security</h5>
+<p>
+    Many of the available endpoints will return content that has been provided by user input.
+    Some of this content may be provided in a certain data-format (Such as HTML or Markdown for page content).
+    Such content is not guaranteed to be safe so keep security in mind when dealing with such user-input.
+    In some cases, the system will apply some filtering to content in an attempt to prevent certain vulnerabilities, but
+    this is not assured to be a bullet-proof defence.
+</p>
+<p>
+    Within its own interfaces, unless disabled, the system makes use of Content Security Policy (CSP) rules to heavily negate
+    cross-site scripting vulnerabilities from user content. If displaying user content externally, it's advised you
+    also use defences such as CSP or the disabling of JavaScript completely.
 </p>