Forum OpenACS Development: HREF attribute not allowed by default in OpenACS 5.0

1: HREF attribute not allowed by default in OpenACS 5.0

Posted by Dave Bauer on 12/18/03 09:49 PM

I found out after upgrading that the HREF attribute is no longer allowed by default for A tags when text is processed through ad_html_security_check.

In OpenACS 4.6.3 there was an AllowedURLAttribute parameter to ACS Kernel that was removed for 5.0.

I think its true there is some potential for cross site scripting allowing users to post HTML with links. Is this the reasoning behind this?

I know the richtext widget can turn URLs in text to links. But I do not know of an alternative to do this:
<a href="http://www.example.com">Some Text</a>

2: Re: HREF attribute not allowed by default in OpenACS 5.0 (response to 1)

Posted by Lars Pind on 12/18/03 10:03 PM

Dave,

This is unintentional. Can you reproduce this on the test server?

What happened was that I changed the existing Allowed* params to accept a * wildcard for any tag/any attribute, etc.

Also, I got rid of the allowedURLattribute stuff.

But that shouldn't cause simple <a href="..."> to not be allowed anymore. If so, please file a sev 2, pri 1 bug.

And add an automated test case!

/Lars

3: Re: HREF attribute not allowed by default in OpenACS 5.0 (response to 1)

Posted by Dave Bauer on 12/19/03 07:31 PM

Bug Report:
https://openacs.org/bugtracker/openacs/com/acs-tcl/bug?bug%5fnumber=1310

I added an automated test case to oacs-5-0 branch in acs-tcl/tcl/test/html-conversion-procs.tcl.

Obviously it fails now. If you add href to the AllowedAttribute parameter of acs-kernel the test will pass (and you can enter html links in a richtext widget.)