[Building Sakai] Customizing rich-text sanitization in Sakai 2.8.x
Noah Botimer
botimer at umich.edu
Mon Dec 2 10:50:10 PST 2013
I did something along these lines to allow data-* attributes in KNL-1007... Let's just say that it was a bit of a challenge, but that was kind of changing the grammar to allow wildcard attributes.
It would be somewhat more direct to filter the attribute values. There is a checkValue method that is used to scan SVG data -- I think you can probably extend that to scrub iframes (in combination with the config bits Matt mentions).
http://source.sakaiproject.org/viewsvn/kernel/branches/kernel-1.2.x/kernel-util/src/main/java/org/sakaiproject/util/FormattedText.java?view=markup#l917
Thanks,
-Noah
On Dec 2, 2013, at 11:12 AM, Matthew Jones wrote:
> Not sure, in the old text processor we just allowed good and bad tags, there was no care about the contents of the attributes (as long as they didn't contain any script).
>
> It seems like you'd have to write a decent amount of custom code in checkAttributes in the old FormattedText or do something about the M_goodAttributePatterns. Maybe like remove the src parameter from a the goodAttributes and process it separately with your list of urls? (If this is what you're thinking) The biggest problem with this in 2.8 the kernel-utils were packaged with every tool, so if you did change this you'd have to rebuild your entire system to make sure every tool got the change.
>
> I haven't heard of anyone backporting Antisamy, with Antisamy what you're describing is super easy. :(
>
>
>
> On Mon, Dec 2, 2013 at 8:45 AM, Branden Visser <mrvisser at gmail.com> wrote:
> Hi all,
>
> I was wondering what would be the best way to customize how rich-text
> content is sanitized in Sakai 2.8.x? I know antisamy was introduced in
> 2.9.x, but AFAIK this has not been back ported to 2.8 [1].
>
> Particularly, I would like to allow iframes whose src matches a
> particular regex (which antisamy allows).
>
> Any advice would be greatly appreciated!
>
> Cheers,
> Branden
>
>
> [1] https://jira.sakaiproject.org/browse/KNL-1015
> _______________________________________________
> sakai-dev mailing list
> sakai-dev at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>
> TO UNSUBSCRIBE: send email to sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"
>
> _______________________________________________
> sakai-dev mailing list
> sakai-dev at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>
> TO UNSUBSCRIBE: send email to sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20131202/fa6ea2cd/attachment.html
More information about the sakai-dev
mailing list