[Building Sakai] FormattedText Question
Holladay, Bryan Andrew
bahollad at indiana.edu
Tue Apr 20 07:34:50 PDT 2010
We at IU (and probably OSP as well) have an issue with FormattedText removing anchors from the FCKEditor text in our forms. I have attached a patch that resolves this issue to this email, but I wanted to consult the community about security first.
Is there a security reason why FormattedText.java in the Kernel removes the "name" attribute in <a> tags? Is there a security reason why "about='blank'" is added to every <a> tag?
Examples of anchor tags going through FormattedText.java:
<a href="#goToAnchor"> ====FormattedText====> "<a href="#goToAnchor" about="blank">
<a name="goToAnchor"> ====FormattedText===> "(removed)"
I'm also assuming this happens in all FCKEditor's that render through the FormattedText api. My patch deals with these two exceptions, if anyone wants to merge it into Kernel.
Thanks,
Bryan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20100420/31b63d24/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ONC-2480_diff.txt
Type: application/octet-stream
Size: 2133 bytes
Desc: ONC-2480_diff.txt
Url : http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20100420/31b63d24/attachment.obj
More information about the sakai-dev
mailing list