[Building Sakai] Samigo: Using <object/> tag in question text
Matthew Jones
matthew at longsight.com
Wed Apr 23 06:46:29 PDT 2014
That's great Shoji. As Sam mentioned you can get an updated file, or update
this file if you find some things are still being blocked. Running 2.9.3
you might be a little out of date with this XML file. So you can just put
it in your ${sakai.home}/antisamy/low-security-policy.xml directory with
the properties file and it will pick up the more updated version.
Here is the most updated version:
https://source.sakaiproject.org/svn/kernel/trunk/kernel-impl/src/main/resources/antisamy/low-security-policy.xml
So for instance, if you search for the object tag in that xml you'l see it
explicitly allows a lot of attributes like type, height and data and
filters them using regular expressions. If someone gives you an object with
tags we don't currently have in there you can add them (and ideally file a
jira about it). With validateParamAsEmbed the embed tag is the same as the
param tag.
<tag name="object" action="validate">
...
</tag>
Thanks!
On Wed, Apr 23, 2014 at 9:24 AM, Shoji Kajita <kajita.shoji.5z at kyoto-u.ac.jp
> wrote:
> Hi Sam,
>
> At Mon, 21 Apr 2014 09:19:05 -0400,
> Sam Ottenhoff wrote:
> > > I think this is related to HTML sanitization but I couldn't find the
> code
> > > in Java and js.
> > Correct, the HTML sanitization library is an upstream project called
> > AntiSamy. Sakai has two possible policies high and low. The XML
> > configurations for these policies are kept in the kernel code.
>
> Bingo!
>
> I tested the following three cases using the following object tag:
>
> <object data="http://xxx/01.wav" height="26" id="MediaPlayer"
> type="audio/mp3" width="70"><param name="enabled" value="true" /><param
> name="src" value="http://xxx/01.wav" /><param name="autostart"
> value="false" /><param name="uimode" value="full" /></object>
>
> Case 1:
>
> content.cleaner.use.legacy.html=true
> content.cleaner.default.low.security=true
>
> I could save the object tag successfully.
>
> Case 2:
>
> content.cleaner.use.legacy.html=false
> content.cleaner.default.low.security=true
>
> Again I could save the object tag successfully.
>
> Case 3 (default setting in Sakai 2.9.3):
>
> content.cleaner.use.legacy.html=false
> content.cleaner.default.low.security=false
>
> I could not save.
>
> So with that, we have decided to use the values of Case 2 for our
> production system in this term.
>
> Thank you so much for your swift help!
>
> Best regards,
> ---
> Shoji Kajita, Ph.D.
> Professor, Entrepreneur
> IT Planning Office, IIMC
> Academic Center for Computing and Media Studies
> Kyoto University
> Twitter: @shojikajita
>
>
> _______________________________________________
> sakai-dev mailing list
> sakai-dev at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>
> TO UNSUBSCRIBE: send email to
> sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of
> "unsubscribe"
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20140423/1fcfd46d/attachment.html
More information about the sakai-dev
mailing list