[Building Sakai] Javascript in MOTD
Aaron Zeckoski
azeckoski at unicon.net
Tue Mar 15 13:38:16 PDT 2011
Let me try to clarify here. The way it works is as a whitelist. So
essentially, tags not in goodTags and attributes not in goodAttributes
are "bad" and will be stripped.
An example using tags from the good and the bad list (and a bad up one
not in either list):
<div>good</div><applet>bad</applet><fake>neutral</fake>
would end up as:
<div>good</div>
In essence, there are no neutral tags or attributes. If they are not
good then they are bad.
Hope that helps clear things up.
-AZ
On Tue, Mar 15, 2011 at 11:40 AM, <daniel.merino at unavarra.es> wrote:
> Hi, Aaron. Thanks for the warning, but in fact the attribute "flashvars"
> is not included in the bad arguments, neither in the good ones, at least
> in our formattedtext.properties.
>
> I suppose that, if the attribute/tag is not in any list, it's restricted
> by default, isn't it?
>
> Thanks and best regards.
>
> El Mar, 15 de Marzo de 2011, 14:56, Aaron Zeckoski escribió:
>> I believe anything in the bad* is there because it can lead to a
>> security breach (flashvars included). You can certainly make an
>> argument that the chance of someone breaching is rare but consider
>> this fair warning.
>> :-)
>> -AZ
>>
>>
>> On Tue, Mar 15, 2011 at 9:07 AM, Daniel Merino
>> <daniel.merino at unavarra.es> wrote:
>>> Hi again. My apologies because I should have investigated a little more
>>> before asking for help.
>>>
>>> As it's said at https://jira.sakaiproject.org/browse/KNL-341 , if
>>> somebody wants to allow any forbidden HTML tag or attribute in
>>> FCKEditor, is as easy as adding it at the properties file:
>>>
>>> config/localization/bundles/src/bundle/org/sakaiproject/localization/bundle/content_type/formattedtext.properties
>>>
>>> in the property goodTags or goodAttributes, respectively.
>>>
>>> I hope that the "flashvars" attribute isn't too dangerous... I have
>>> found no way of allowing it only for admins.
>>>
>>> Best regards.
>>>
>>> Daniel Merino escribió:
>>>> Hi everybody.
>>>>
>>>> I'm trying, as admin user, to make a Message of the Day announcement
>>>> with a flash video embedded inside it.
>>>>
>>>> When I try to save the HTML code embedding the video, I receive error
>>>> messages that says me "The HTML attribute pattern ' flashvars (...)' is
>>>> not allowed". This attribute is at the tag "embed".
>>>>
>>>> Trying to make an HTML page in Resources (where javascript is allowed)
>>>> and embedding it into Announcements gives me another error: "The HTML
>>>> tag <iframe> is not allowed"...
>>>>
>>>> I can understand that Sakai platform must be protected against XSS
>>>> attacks, but it has no sense to me to forbid the javascript to the
>>>> admin
>>>> user, even less in MOTD, a tool only available to admin users.
>>>>
>>>> So I wonder if I can disable the javascript protection for the admin
>>>> user in some way, or if somebody knows any trick to jump over this
>>>> protection. Does anybody know how could I do this?
>>>>
>>>> Thanks in advance.
>>>> Best regards.
>>>>
>>>
>>> --
>>> Daniel Merino EcheverrÃa
>>> daniel.merino at unavarra.es
>>> Gestor de teleformación - Centro Superior de Innovación Educativa.
>>> Tfno: 948-168489 - Universidad Pública de Navarra.
>>> --
>>> Cada vez que una nueva tecnologÃa comienza a rodar, si no eres parte de
>>> la apisonadora, eres parte de la carretera. (Stewart Brand)
>>> _______________________________________________
>>> sakai-dev mailing list
>>> sakai-dev at collab.sakaiproject.org
>>> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>>>
>>> TO UNSUBSCRIBE: send email to
>>> sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of
>>> "unsubscribe"
>>>
>>
>>
>>
>> --
>> Aaron Zeckoski - Software Engineer - http://tinyurl.com/azprofile
>>
>
>
> _______________________________________________
> sakai-dev mailing list
> sakai-dev at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>
> TO UNSUBSCRIBE: send email to sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"
>
--
Aaron Zeckoski - Software Engineer - http://tinyurl.com/azprofile
More information about the sakai-dev
mailing list