[Building Sakai] Javascript in MOTD

daniel.merino at unavarra.es daniel.merino at unavarra.es
Tue Mar 15 08:40:10 PDT 2011 

Hi, Aaron. Thanks for the warning, but in fact the attribute "flashvars"
is not included in the bad arguments, neither in the good ones, at least
in our formattedtext.properties.

I suppose that, if the attribute/tag is not in any list, it's restricted
by default, isn't it?

Thanks and best regards.

El Mar, 15 de Marzo de 2011, 14:56, Aaron Zeckoski escribió:
> I believe anything in the bad* is there because it can lead to a
> security breach (flashvars included). You can certainly make an
> argument that the chance of someone breaching is rare but consider
> this fair warning.
> :-)
> -AZ
>
>
> On Tue, Mar 15, 2011 at 9:07 AM, Daniel Merino
> <daniel.merino at unavarra.es> wrote:
>> Hi again. My apologies because I should have investigated a little more
>> before asking for help.
>>
>> As it's said at https://jira.sakaiproject.org/browse/KNL-341 , if
>> somebody wants to allow any forbidden HTML tag or attribute in
>> FCKEditor, is as easy as adding it at the properties file:
>>
>> config/localization/bundles/src/bundle/org/sakaiproject/localization/bundle/content_type/formattedtext.properties
>>
>> in the property goodTags or goodAttributes, respectively.
>>
>> I hope that the "flashvars" attribute isn't too dangerous... I have
>> found no way of allowing it only for admins.
>>
>> Best regards.
>>
>> Daniel Merino escribió:
>>> Hi everybody.
>>>
>>> I'm trying, as admin user, to make a Message of the Day announcement
>>> with a flash video embedded inside it.
>>>
>>> When I try to save the HTML code embedding the video, I receive error
>>> messages that says me "The HTML attribute pattern ' flashvars (...)' is
>>> not allowed". This attribute is at the tag "embed".
>>>
>>> Trying to make an HTML page in Resources (where javascript is allowed)
>>> and embedding it into Announcements gives me another error: "The HTML
>>> tag <iframe> is not allowed"...
>>>
>>> I can understand that Sakai platform must be protected against XSS
>>> attacks, but it has no sense to me to forbid the javascript to the
>>> admin
>>> user, even less in MOTD, a tool only available to admin users.
>>>
>>> So I wonder if I can disable the javascript protection for the admin
>>> user in some way, or if somebody knows any trick to jump over this
>>> protection. Does anybody know how could I do this?
>>>
>>> Thanks in advance.
>>> Best regards.
>>>
>>
>> --
>> Daniel Merino Echeverría
>> daniel.merino at unavarra.es
>> Gestor de teleformación - Centro Superior de Innovación Educativa.
>> Tfno: 948-168489 - Universidad Pública de Navarra.
>> --
>> Cada vez que una nueva tecnología comienza a rodar, si no eres parte de
>> la apisonadora, eres parte de la carretera. (Stewart Brand)
>> _______________________________________________
>> sakai-dev mailing list
>> sakai-dev at collab.sakaiproject.org
>> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>>
>> TO UNSUBSCRIBE: send email to
>> sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of
>> "unsubscribe"
>>
>
>
>
> --
> Aaron Zeckoski - Software Engineer - http://tinyurl.com/azprofile
>

More information about the sakai-dev mailing list