[Building Sakai] Javascript in MOTD
Aaron Zeckoski
azeckoski at unicon.net
Tue Mar 15 06:56:17 PDT 2011
I believe anything in the bad* is there because it can lead to a
security breach (flashvars included). You can certainly make an
argument that the chance of someone breaching is rare but consider
this fair warning.
:-)
-AZ
On Tue, Mar 15, 2011 at 9:07 AM, Daniel Merino
<daniel.merino at unavarra.es> wrote:
> Hi again. My apologies because I should have investigated a little more
> before asking for help.
>
> As it's said at https://jira.sakaiproject.org/browse/KNL-341 , if
> somebody wants to allow any forbidden HTML tag or attribute in
> FCKEditor, is as easy as adding it at the properties file:
>
> config/localization/bundles/src/bundle/org/sakaiproject/localization/bundle/content_type/formattedtext.properties
>
> in the property goodTags or goodAttributes, respectively.
>
> I hope that the "flashvars" attribute isn't too dangerous... I have
> found no way of allowing it only for admins.
>
> Best regards.
>
> Daniel Merino escribió:
>> Hi everybody.
>>
>> I'm trying, as admin user, to make a Message of the Day announcement
>> with a flash video embedded inside it.
>>
>> When I try to save the HTML code embedding the video, I receive error
>> messages that says me "The HTML attribute pattern ' flashvars (...)' is
>> not allowed". This attribute is at the tag "embed".
>>
>> Trying to make an HTML page in Resources (where javascript is allowed)
>> and embedding it into Announcements gives me another error: "The HTML
>> tag <iframe> is not allowed"...
>>
>> I can understand that Sakai platform must be protected against XSS
>> attacks, but it has no sense to me to forbid the javascript to the admin
>> user, even less in MOTD, a tool only available to admin users.
>>
>> So I wonder if I can disable the javascript protection for the admin
>> user in some way, or if somebody knows any trick to jump over this
>> protection. Does anybody know how could I do this?
>>
>> Thanks in advance.
>> Best regards.
>>
>
> --
> Daniel Merino Echeverría
> daniel.merino at unavarra.es
> Gestor de teleformación - Centro Superior de Innovación Educativa.
> Tfno: 948-168489 - Universidad Pública de Navarra.
> --
> Cada vez que una nueva tecnología comienza a rodar, si no eres parte de
> la apisonadora, eres parte de la carretera. (Stewart Brand)
> _______________________________________________
> sakai-dev mailing list
> sakai-dev at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>
> TO UNSUBSCRIBE: send email to sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"
>
--
Aaron Zeckoski - Software Engineer - http://tinyurl.com/azprofile
More information about the sakai-dev
mailing list