[WG: Sakai QA] [Building Sakai] Question - AntiSamy testing

Neal Caidin neal.caidin at apereo.org
Fri Aug 9 11:07:30 PDT 2013 

Thanks!

A couple of interesting observations.

The Low setting of AntiSamy did not like the allowfullscreen attribute in the youtube example, gave a warning and stripped it out, though it allowed the video The High setting accepted the allowfullscreen attribute. That seems odd.

The Low setting of AntiSamy stripped out several attributes from the ted.com site, though it allowed the video, and High did not allow the video. scrolling, webkitallowfullscreen, mozallowfullscreen, and allowfullscreen were all stripped out on Low (n/a on High since video link isn't kept anyway.

I've added these cases to the Test Plan on https://jira.sakaiproject.org/browse/LSNBLDR-276 , but with those attributes stripped out. I presume the attribute stripping is expected behavior? Should Low strip something out which High does not (allowfullscreen attribute) ?

-- Neal



Neal Caidin
Sakai CLE Community Coordinator
neal.caidin at apereo.org
Skype: nealkdin
Twitter: ncaidin









On Aug 9, 2013, at 10:36 AM, Sam Ottenhoff <ottenhoff at longsight.com> wrote:

> Check the notes from yesterday's meeting: http://etherpad.ctools.org/rmmt-2013-08-08
> 
> AntiSamy low and high should accept this code:
> 
> <p>
>     <iframe allowfullscreen="" frameborder="0" height="315" src="https://www.youtube.com/embed/0PKgnOn5w5U" width="560"></iframe></p>
> 
> 
> AntiSamy low (not high) should accept this code:
> 
> <p>
> <iframe src="http://embed.ted.com/talks/jinsop_lee_design_for_all_5_senses.html" width="560" height="315" frameborder="0" scrolling="no" webkitAllowFullScreen mozallowfullscreen allowFullScreen></iframe>
> </p>
> 
> 
> On Fri, Aug 9, 2013 at 10:35 AM, Neal Caidin <neal.caidin at apereo.org> wrote:
> Hey all,
> 
> I'm still struggling with this. I want to establish baseline behavior for testing LSNBLDR-276. 
> 
> I need a video source which is NOT included in the list of Flash sites to allow in the High security file. Any ideas? 
> 
> One thought I had was to remove Youtube from my Local list of allowed flash sites by updating my copy of high-security-policy.xml . But Sakai did not pick up my change on a restart. Perhaps I have it in the wrong place?
> 
> Documentation says :
> # Override the standard files by placing your own files in:
> #       ${sakai.home}/antisamy/high-security-policy.xml
> #       ${sakai.home}/antisamy/low-security-policy.xml
> 
> So here is what I did:
> 
> 1) in the root of my Sakai directory , I added an "antisamy" sub-directory
> 2) I made a copy of all the security policies and put them in the antisamy sub-directory
> 3) Updated the high-security-policy.xml by removing youtube from "flashSites"
> 4) confirmed that AntiSamy default is on high (no override in my local settings)
> 5) run Sakai locally (pack-demo, in case that makes a difference)
> 
> Unfortunately, Sakai let me add a Youtube video to CK Editor in Announcements. I expected it would strip out the offending code and give me a warning like " The object tag contained an attribute that we could not process…", etc.
> 
> Am I doing something wrong? 
> 
> -- Neal
> 
> 
> Neal Caidin
> Sakai CLE Community Coordinator
> neal.caidin at apereo.org
> Skype: nealkdin
> Twitter: ncaidin
> 
> 
> 
> 
> 
> 
> 
> 
> 
> On Aug 8, 2013, at 8:19 PM, Neal Caidin <neal.caidin at apereo.org> wrote:
> 
>> [ qa and dev ] 
>> 
>> Hello,
>> 
>> I am testing https://jira.sakaiproject.org/browse/LSNBLDR-276
>> 
>> With AntiSamy on Low setting, so it will play external videos without checking a "trusted sites" list, I see the following behavior. The video plays in the Lessons tool, but adding media in the CK Editor in Announcements I get "The operation couldn't be completed. The file is not a movie file (see enclosed screenshot).  
>> 
>> I'm trying a couple of sites (other than Youtube):
>> http://dai.ly/x12skq3
>> http://current.com/shows/joy-behar/videos/isabella-rossellini-on-her-ex-husband-martin-scorsese-hes-the-funniest-man-on-earth/
>> 
>> Is it because these are not direct video embeds but instead web sites with videos? That's what it looks like through Lessons. 
>> 
>> Ideas?
>> 
>> What would be good sites to test various settings of AntiSamy?
>> 
>> Thanks,
>> Neal
>> 
>> 
>> <PastedGraphic-1.tiff>
>> 
>> 
>> 
>> Neal Caidin
>> Sakai CLE Community Coordinator
>> neal.caidin at apereo.org
>> Skype: nealkdin
>> Twitter: ncaidin
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
> 
> 
> _______________________________________________
> sakai-dev mailing list
> sakai-dev at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
> 
> TO UNSUBSCRIBE: send email to sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-qa/attachments/20130809/3d766532/attachment.html

More information about the sakai-qa mailing list