Forum .LRN Q&A: Custom Portlet - Strange Behavior

Collapse
Posted by Nima Mazloumi on
Hi everybody,

I was playing with custom portlets and experienced 3 things:

1. Sometimes the unused portlet is not shown in the list of unused portlets to be added to a page I defined. A few minutes later it is possible.

2. At another time the same portlet is displayed in the list of unused portlets but when I try to add it I get the error message that I supplied 2 values for 'portal_id'.

3. The maximum size of the content a custom portlet is 4000. Where do I have to change that?

Greetings,
Nima

Collapse
Posted by Dirk Gomez on

1. Caching! - Sounds like caching.

4000 is an eerie Oracle limit. It's 12 bits and the 4 remaining bits are reserved for something else (that's my guess).

How much of a limit is 4000 Bytes to you? Should we tear down this barrier?

Collapse
Posted by Nima Mazloumi on
IMHO there should not be a limit because there are many requests from users to use a custom portlet as a container for static html content like course overview, list of books, link-list or even a fancy page describing the course content etc. So why should we limit the content? The admin must understand by himself that userbility should be considered. What do you think?

Two other thoughts:

1. Do you think it is possible to extend the custom portlet to accept also html with @..@ parameters to return customized content per user and class for instance?

2. If I want to create a new portlet type like custom portlet, how do I have to do that? Can you name a package that is easy to understand and a starting point for this purpose. Which other files do I have to change to make a new portlet available for all classes and communities?

Best wishes,
Nima

Collapse
Posted by Dirk Gomez on
Give it a try and just include @..@ variables. It should be interesting to see whether it works and how they are quoted.

Otherwise removing the limit: I was just guessing about the 4000 byte limit, it sounds quite reasonable though :) Can someone confirm? If it is the dreaded varchar2(4000) limit, then Nima should file an enhancement request and that can be picked up for 5.1.

Collapse
Posted by Nima Mazloumi on
I tried to include a @..@ parameter. It is not considered as one but displayed as text.
Collapse
Posted by Dirk Gomez on
On a second thought: Allowing arbitrary variables sounds like a potential security risk.

What do you want to display exactly? There's probably just a limited set of "things" (variables) you'd want to display, these could be allowed explicitly.

Collapse
Posted by Nima Mazloumi on
I think the description should allow html formatting elements like b, hr, h1...h7, ul, ol, li, tables, div, img, font, object, span, p, strong, br...

The list is long. Maybe one should think of excluding those that might be a security hole.

But how do you think is it possible to abuse that? Isn't there a parameter in in the Kernel where I can explizitly allow elements and attributes. Then the administrator is able to decided what is permitted and what not. I think this would be a better solution.

What do you think?

Collapse
Posted by Dirk Gomez on

If I evaluate variables, I may also evaluate code. The current templating system definitely allows that. You can - unfortunately - still embed TCL constructs in your ADP snippets and the get evaluated.

Now some mailicious user can come along and embed stuff like [rm -rf /] and that command will be executed with the rights of the webserver on the filesystem. You definitely don't want that.

(Maybe this doesn't apply in this particular case because new-portal does something unusual. Can someone confirm?)

Any snippet of html is potentially dangerous. You can always sneak in javascript e.g. even on the bold tag. And new-portal comes with its own templating system and isn't yet fully affected by the noquote patch. (See https://openacs.org/bugtracker/openacs/bug?bug%5fnumber=952).

Collapse
Posted by Nima Mazloumi on
I looked at the sql and the content attribute is limited to 4000. So it is easy to change that to a higher value. I tested this and it works fine. Maybe this could also be done with the original package in CVS.