Forum OpenACS Development: Re: html filtering

Collapse
3: Re: html filtering (response to 1)
Posted by Tom Mizukami on
Thanks Jade. I found the kernel parameter in the antispam section where I can list allowed tags. I was just wondering if there was an all_html flag somewhere.

Our users are used to copying and pasting the html source of sites under scrunity. I need to preserve this functionality.

This intranet holds some very private and low level classified information thus there is no connection between the internet and the intranet. In order to pull off a cross site attack the attacker would have to first break the virtual machine isolation.

Thanks Joel - you posted while I was typing.

Collapse
5: Re: html filtering (response to 3)
Posted by Claudio Pasolini on
Look at ad_page_contract and you will find the allhtml flag.
Collapse
6: Re: html filtering (response to 5)
Posted by Tilmann Singer on
Either change html to allhtml on every page or you could try hacking the ad_page_contract_filter_rule_proc_html proc in packages/acs-tcl/tcl/tcl-documentation-procs.tcl to allow any html on your site. That'd be easier since it would be a changein only one place.

I hope it is clear though that although your system is propably sufficiently protected from attackers from the outside world, these modificiations open it up to CSRF attacks from internal users, e.g. one user could steal all the private data from all the other users.