[Building Sakai] Question - AntiSamy testing
Sam Ottenhoff
ottenhoff at longsight.com
Wed Aug 14 07:35:26 PDT 2013
>
>
>
> The Low setting of AntiSamy did not like the allowfullscreen attribute in
> the youtube example, gave a warning and stripped it out, though it allowed
> the video The High setting accepted the allowfullscreen attribute. That
> seems odd.
>
That's a bug. I filed and fixed it here:
https://jira.sakaiproject.org/browse/KNL-1112
If you can test and Verify on trunk, we can get it merged into 2.9.x.
>
> The Low setting of AntiSamy stripped out several attributes from the
> ted.com site, though it allowed the video, and High did not allow the
> video. scrolling, webkitallowfullscreen, mozallowfullscreen, and allowfullscreen
> were all stripped out on Low (n/a on High since video link isn't kept
> anyway.
>
Attributes with no value are addressed in
https://jira.sakaiproject.org/browse/KNL-1112
So previously, in low, just an attribute with no value like
"allowfullscreen" would not be allowed. Low policy was looking for
"allowfullscreen=true".
>
> I've added these cases to the Test Plan on
> https://jira.sakaiproject.org/browse/LSNBLDR-276 , but with those
> attributes stripped out. I presume the attribute stripping is expected
> behavior? Should Low strip something out which High does not
> (allowfullscreen attribute) ?
>
No. Low should always allow everything that high allows.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20130814/6ba52927/attachment.html
More information about the sakai-dev
mailing list