[Building Sakai] Javascript in MOTD
Daniel Merino
daniel.merino at unavarra.es
Tue Mar 15 06:07:26 PDT 2011
Hi again. My apologies because I should have investigated a little more
before asking for help.
As it's said at https://jira.sakaiproject.org/browse/KNL-341 , if
somebody wants to allow any forbidden HTML tag or attribute in
FCKEditor, is as easy as adding it at the properties file:
config/localization/bundles/src/bundle/org/sakaiproject/localization/bundle/content_type/formattedtext.properties
in the property goodTags or goodAttributes, respectively.
I hope that the "flashvars" attribute isn't too dangerous... I have
found no way of allowing it only for admins.
Best regards.
Daniel Merino escribió:
> Hi everybody.
>
> I'm trying, as admin user, to make a Message of the Day announcement
> with a flash video embedded inside it.
>
> When I try to save the HTML code embedding the video, I receive error
> messages that says me "The HTML attribute pattern ' flashvars (...)' is
> not allowed". This attribute is at the tag "embed".
>
> Trying to make an HTML page in Resources (where javascript is allowed)
> and embedding it into Announcements gives me another error: "The HTML
> tag <iframe> is not allowed"...
>
> I can understand that Sakai platform must be protected against XSS
> attacks, but it has no sense to me to forbid the javascript to the admin
> user, even less in MOTD, a tool only available to admin users.
>
> So I wonder if I can disable the javascript protection for the admin
> user in some way, or if somebody knows any trick to jump over this
> protection. Does anybody know how could I do this?
>
> Thanks in advance.
> Best regards.
>
--
Daniel Merino Echeverría
daniel.merino at unavarra.es
Gestor de teleformación - Centro Superior de Innovación Educativa.
Tfno: 948-168489 - Universidad Pública de Navarra.
--
Cada vez que una nueva tecnología comienza a rodar, si no eres parte de
la apisonadora, eres parte de la carretera. (Stewart Brand)
More information about the sakai-dev
mailing list