[Building Sakai] Javascript in MOTD
Steve Swinsburg
steve.swinsburg at gmail.com
Tue Mar 15 14:54:27 PDT 2011
Here's the JIRA's I mentioned:
https://jira.sakaiproject.org/browse/SAK-15878
https://jira.sakaiproject.org/browse/KNL-505
I think the confusion is that there is both a good and evil list.
http://source.sakaiproject.org/viewsvn/config/trunk/localization/bundles/src/bundle/org/sakaiproject/localization/bundle/content_type/formattedtext.properties?view=markup
cheers,
Steve
On 16/03/2011, at 7:38 AM, Aaron Zeckoski wrote:
> Let me try to clarify here. The way it works is as a whitelist. So
> essentially, tags not in goodTags and attributes not in goodAttributes
> are "bad" and will be stripped.
>
> An example using tags from the good and the bad list (and a bad up one
> not in either list):
> <div>good</div><applet>bad</applet><fake>neutral</fake>
>
> would end up as:
> <div>good</div>
>
> In essence, there are no neutral tags or attributes. If they are not
> good then they are bad.
> Hope that helps clear things up.
> -AZ
>
>
> On Tue, Mar 15, 2011 at 11:40 AM, <daniel.merino at unavarra.es> wrote:
>> Hi, Aaron. Thanks for the warning, but in fact the attribute "flashvars"
>> is not included in the bad arguments, neither in the good ones, at least
>> in our formattedtext.properties.
>>
>> I suppose that, if the attribute/tag is not in any list, it's restricted
>> by default, isn't it?
>>
>> Thanks and best regards.
>>
>> El Mar, 15 de Marzo de 2011, 14:56, Aaron Zeckoski escribió:
>>> I believe anything in the bad* is there because it can lead to a
>>> security breach (flashvars included). You can certainly make an
>>> argument that the chance of someone breaching is rare but consider
>>> this fair warning.
>>> :-)
>>> -AZ
>>>
>>>
>>> On Tue, Mar 15, 2011 at 9:07 AM, Daniel Merino
>>> <daniel.merino at unavarra.es> wrote:
>>>> Hi again. My apologies because I should have investigated a little more
>>>> before asking for help.
>>>>
>>>> As it's said at https://jira.sakaiproject.org/browse/KNL-341 , if
>>>> somebody wants to allow any forbidden HTML tag or attribute in
>>>> FCKEditor, is as easy as adding it at the properties file:
>>>>
>>>> config/localization/bundles/src/bundle/org/sakaiproject/localization/bundle/content_type/formattedtext.properties
>>>>
>>>> in the property goodTags or goodAttributes, respectively.
>>>>
>>>> I hope that the "flashvars" attribute isn't too dangerous... I have
>>>> found no way of allowing it only for admins.
>>>>
>>>> Best regards.
>>>>
>>>> Daniel Merino escribió:
>>>>> Hi everybody.
>>>>>
>>>>> I'm trying, as admin user, to make a Message of the Day announcement
>>>>> with a flash video embedded inside it.
>>>>>
>>>>> When I try to save the HTML code embedding the video, I receive error
>>>>> messages that says me "The HTML attribute pattern ' flashvars (...)' is
>>>>> not allowed". This attribute is at the tag "embed".
>>>>>
>>>>> Trying to make an HTML page in Resources (where javascript is allowed)
>>>>> and embedding it into Announcements gives me another error: "The HTML
>>>>> tag <iframe> is not allowed"...
>>>>>
>>>>> I can understand that Sakai platform must be protected against XSS
>>>>> attacks, but it has no sense to me to forbid the javascript to the
>>>>> admin
>>>>> user, even less in MOTD, a tool only available to admin users.
>>>>>
>>>>> So I wonder if I can disable the javascript protection for the admin
>>>>> user in some way, or if somebody knows any trick to jump over this
>>>>> protection. Does anybody know how could I do this?
>>>>>
>>>>> Thanks in advance.
>>>>> Best regards.
>>>>>
>>>>
>>>> --
>>>> Daniel Merino Echeverrà a
>>>> daniel.merino at unavarra.es
>>>> Gestor de teleformación - Centro Superior de Innovación Educativa.
>>>> Tfno: 948-168489 - Universidad Pública de Navarra.
>>>> --
>>>> Cada vez que una nueva tecnologà a comienza a rodar, si no eres parte de
>>>> la apisonadora, eres parte de la carretera. (Stewart Brand)
>>>> _______________________________________________
>>>> sakai-dev mailing list
>>>> sakai-dev at collab.sakaiproject.org
>>>> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>>>>
>>>> TO UNSUBSCRIBE: send email to
>>>> sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of
>>>> "unsubscribe"
>>>>
>>>
>>>
>>>
>>> --
>>> Aaron Zeckoski - Software Engineer - http://tinyurl.com/azprofile
>>>
>>
>>
>> _______________________________________________
>> sakai-dev mailing list
>> sakai-dev at collab.sakaiproject.org
>> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>>
>> TO UNSUBSCRIBE: send email to sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"
>>
>
>
>
> --
> Aaron Zeckoski - Software Engineer - http://tinyurl.com/azprofile
> _______________________________________________
> sakai-dev mailing list
> sakai-dev at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>
> TO UNSUBSCRIBE: send email to sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"
More information about the sakai-dev
mailing list