[Building Sakai] Antisamy
Matthew Jones
matthew at longsight.com
Mon Jul 14 15:19:06 PDT 2014
Yeah, antisamy relies on regular expressions to validate input.
It looks like it's failing on the unencoded characters on that url for the
offsiteURL, specifically \ { } and ^. There are probably other characters
just not included.
I'm not sure were you're generating that url from, but it does say in the
little blue box about URL-Encoding the chl Data:
https://developers.google.com/chart/infographics/docs/formulas
"Remember that you must URL-encode any non-URL-safe characters used in your
formula. You can find a URL-encoder here
<https://developers.google.com/chart/interactive/docs/querylanguage#plainText>
."
If I encode this chl parameter it comes up okay.
https://chart.googleapis.com/chart?cht=tx&chl=%3Dx%3D%5Cfrac%7B-b%5Cpm%5Csqrt%7Bb%5E2-4ac%7D%7D%7B2a%7D
On Mon, Jul 14, 2014 at 5:51 PM, Omer A Piperdi <omer at rice.edu> wrote:
> I think it is stripping simple image tag like this, in low antisamy
> setting.. or my low setting is not correct..
>
> https://chart.googleapis.com/chart?cht=tx&chl=x=\frac
> {-b\pm\sqrt{b^2-4ac}}{2a}
>
> Thanks
> Omer
>
>
> On 7/14/2014 3:55 PM, Matthew Jones wrote:
>
> There are various options for security in the default.sakai properties.
> You'd have to look at what is available for your version.
> The file for trunk is at
>
> https://source.sakaiproject.org/svn/config/trunk/configuration/bundles/src/bundle/org/sakaiproject/config/bundle/default.sakai.properties
>
> The legacy cleaner was removed for Sakai 10 (KNL-1127) because the rules
> in Antisamy were easier to configure and mapped almost exactly with the
> legacy (at least in the low setting) and protected against more security
> issues that we'd have ever been able to keep up with.. So it's not possible
> to completely remove it unless you provide an xml file that does no
> filtering.
>
> I'd be more interested in whatever issue you're having, if it's security
> related you should take the discussion over to the
> sakai-security at collab.sakaiproject.org list though.
>
>
> On Mon, Jul 14, 2014 at 4:45 PM, Omer A Piperdi <omer at rice.edu> wrote:
>
>> Is there an option turn off antisamy? What is the property for this?
>>
>> Thanks
>> Omer
>> _______________________________________________
>> sakai-dev mailing list
>> sakai-dev at collab.sakaiproject.org
>> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>>
>> TO UNSUBSCRIBE: send email to
>> sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of
>> "unsubscribe"
>>
>
> !DSPAM:2294,53c44514308309662120212!
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20140714/4a3c8fc1/attachment.html
More information about the sakai-dev
mailing list