[Building Sakai] Javascript in MOTD

[Daniel Merino]

Hi again. My apologies because I should have investigated a little more 
before asking for help.

As it's said at https://jira.sakaiproject.org/browse/KNL-341 , if 
somebody wants to allow any forbidden HTML tag or attribute in 
FCKEditor, is as easy as adding it at the properties file:

config/localization/bundles/src/bundle/org/sakaiproject/localization/bundle/content_type/formattedtext.properties

in the property goodTags or goodAttributes, respectively.

I hope that the "flashvars" attribute isn't too dangerous... I have 
found no way of allowing it only for admins.

Best regards.

Daniel Merino escribió:
> Hi everybody.
>
> I'm trying, as admin user, to make a Message of the Day announcement 
> with a flash video embedded inside it.
>
> When I try to save the HTML code embedding the video, I receive error 
> messages that says me "The HTML attribute pattern ' flashvars (...)' is 
> not allowed". This attribute is at the tag "embed".
>
> Trying to make an HTML page in Resources (where javascript is allowed) 
> and embedding it into Announcements gives me another error: "The HTML 
> tag <iframe> is not allowed"...
>
> I can understand that Sakai platform must be protected against XSS 
> attacks, but it has no sense to me to forbid the javascript to the admin 
> user, even less in MOTD, a tool only available to admin users.
>
> So I wonder if I can disable the javascript protection for the admin 
> user in some way, or if somebody knows any trick to jump over this 
> protection. Does anybody know how could I do this?
>
> Thanks in advance.
> Best regards.
>   

-- 
Daniel Merino Echeverría
daniel.merino at unavarra.es
Gestor de teleformación - Centro Superior de Innovación Educativa.
Tfno: 948-168489 - Universidad Pública de Navarra.
--
Cada vez que una nueva tecnología comienza a rodar, si no eres parte de 
la apisonadora, eres parte de la carretera. (Stewart Brand)