[Building Sakai] problem with HTML editors

[Charles Hedrick]

I just ran into a problem with Lesson Builder that is likely to hit any tool with an HTML editor.

Chrome, and I believe also IE, are trying to protect against XSS attacks. In order to do that, they keep track of data submitted, and match it with the data displayed in response. If any of that is Javascript, they abort the display. In theory that means that if you add Javascript in an HTML editor, then when the page displayed after doing "save" they will detect that the same Javascript you just submitted is being displayed, and abort execution.

At first this sound like a potentially useful protection. However there are (at least) two problems.

1) They don't just check for Javascript. Images can also trigger the problem.

2) They abort display only in the first display after the submit. At least in Lesson Builder, the result is a garbled page. Most users will respond to this by refreshing the page. And the supposedly rogue code will be executed then. It just stops it the first time.

So this doesn't actually protect against rogue Javascript, but it does cause random problems when editing a block of HTML in an editor and the block has images. The problem appears to be different for different versions of Chrome. I've seen suggestions that it also happens in some versions of IE.

For this reason I am adding the header X-XSS-Protection:0 when showing that page in Lesson Builder, for instructors. (Students' use of HTML editors should be more restricted. However I may end up doing it all the time.) Since it appears that the protection isn't that useful, it seems to make sense to disable the test.

This may be needed in other tools as well.