[Building Sakai] Javascript in MOTD

Aaron Zeckoski azeckoski at unicon.net
Tue Mar 15 15:39:31 PDT 2011 

Certainly a reasonable confusion IMO.
:-)
-AZ


On Tue, Mar 15, 2011 at 5:54 PM, Steve Swinsburg
<steve.swinsburg at gmail.com> wrote:
> Here's the JIRA's I mentioned:
>
> https://jira.sakaiproject.org/browse/SAK-15878
> https://jira.sakaiproject.org/browse/KNL-505
>
> I think the confusion is that there is both a good and evil list.
> http://source.sakaiproject.org/viewsvn/config/trunk/localization/bundles/src/bundle/org/sakaiproject/localization/bundle/content_type/formattedtext.properties?view=markup
>
> cheers,
> Steve
>
> On 16/03/2011, at 7:38 AM, Aaron Zeckoski wrote:
>
>> Let me try to clarify here. The way it works is as a whitelist. So
>> essentially, tags not in goodTags and attributes not in goodAttributes
>> are "bad" and will be stripped.
>>
>> An example using tags from the good and the bad list (and a bad up one
>> not in either list):
>> <div>good</div><applet>bad</applet><fake>neutral</fake>
>>
>> would end up as:
>> <div>good</div>
>>
>> In essence, there are no neutral tags or attributes. If they are not
>> good then they are bad.
>> Hope that helps clear things up.
>> -AZ
>>
>>
>> On Tue, Mar 15, 2011 at 11:40 AM,  <daniel.merino at unavarra.es> wrote:
>>> Hi, Aaron. Thanks for the warning, but in fact the attribute "flashvars"
>>> is not included in the bad arguments, neither in the good ones, at least
>>> in our formattedtext.properties.
>>>
>>> I suppose that, if the attribute/tag is not in any list, it's restricted
>>> by default, isn't it?
>>>
>>> Thanks and best regards.
>>>
>>> El Mar, 15 de Marzo de 2011, 14:56, Aaron Zeckoski escribió:
>>>> I believe anything in the bad* is there because it can lead to a
>>>> security breach (flashvars included). You can certainly make an
>>>> argument that the chance of someone breaching is rare but consider
>>>> this fair warning.
>>>> :-)
>>>> -AZ
>>>>
>>>>
>>>> On Tue, Mar 15, 2011 at 9:07 AM, Daniel Merino
>>>> <daniel.merino at unavarra.es> wrote:
>>>>> Hi again. My apologies because I should have investigated a little more
>>>>> before asking for help.
>>>>>
>>>>> As it's said at https://jira.sakaiproject.org/browse/KNL-341 , if
>>>>> somebody wants to allow any forbidden HTML tag or attribute in
>>>>> FCKEditor, is as easy as adding it at the properties file:
>>>>>
>>>>> config/localization/bundles/src/bundle/org/sakaiproject/localization/bundle/content_type/formattedtext.properties
>>>>>
>>>>> in the property goodTags or goodAttributes, respectively.
>>>>>
>>>>> I hope that the "flashvars" attribute isn't too dangerous... I have
>>>>> found no way of allowing it only for admins.
>>>>>
>>>>> Best regards.
>>>>>
>>>>> Daniel Merino escribió:
>>>>>> Hi everybody.
>>>>>>
>>>>>> I'm trying, as admin user, to make a Message of the Day announcement
>>>>>> with a flash video embedded inside it.
>>>>>>
>>>>>> When I try to save the HTML code embedding the video, I receive error
>>>>>> messages that says me "The HTML attribute pattern ' flashvars (...)' is
>>>>>> not allowed". This attribute is at the tag "embed".
>>>>>>
>>>>>> Trying to make an HTML page in Resources (where javascript is allowed)
>>>>>> and embedding it into Announcements gives me another error: "The HTML
>>>>>> tag <iframe> is not allowed"...
>>>>>>
>>>>>> I can understand that Sakai platform must be protected against XSS
>>>>>> attacks, but it has no sense to me to forbid the javascript to the
>>>>>> admin
>>>>>> user, even less in MOTD, a tool only available to admin users.
>>>>>>
>>>>>> So I wonder if I can disable the javascript protection for the admin
>>>>>> user in some way, or if somebody knows any trick to jump over this
>>>>>> protection. Does anybody know how could I do this?
>>>>>>
>>>>>> Thanks in advance.
>>>>>> Best regards.
>>>>>>
>>>>>
>>>>> --
>>>>> Daniel Merino Echeverrà a
>>>>> daniel.merino at unavarra.es
>>>>> Gestor de teleformación - Centro Superior de Innovación Educativa.
>>>>> Tfno: 948-168489 - Universidad Pública de Navarra.
>>>>> --
>>>>> Cada vez que una nueva tecnologà a comienza a rodar, si no eres parte de
>>>>> la apisonadora, eres parte de la carretera. (Stewart Brand)
>>>>> _______________________________________________
>>>>> sakai-dev mailing list
>>>>> sakai-dev at collab.sakaiproject.org
>>>>> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>>>>>
>>>>> TO UNSUBSCRIBE: send email to
>>>>> sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of
>>>>> "unsubscribe"
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Aaron Zeckoski - Software Engineer - http://tinyurl.com/azprofile
>>>>
>>>
>>>
>>> _______________________________________________
>>> sakai-dev mailing list
>>> sakai-dev at collab.sakaiproject.org
>>> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>>>
>>> TO UNSUBSCRIBE: send email to sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"
>>>
>>
>>
>>
>> --
>> Aaron Zeckoski - Software Engineer - http://tinyurl.com/azprofile
>> _______________________________________________
>> sakai-dev mailing list
>> sakai-dev at collab.sakaiproject.org
>> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>>
>> TO UNSUBSCRIBE: send email to sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"
>
>



-- 
Aaron Zeckoski - Software Engineer - http://tinyurl.com/azprofile

More information about the sakai-dev mailing list