Forum OpenACS Development: html filtering

Collapse
1: html filtering
Posted by Tom Mizukami on 05/19/03 08:28 PM
How do I turn off the html filtering sitewide? I am aware of the cross site (CSRF) security issue. This is for an intranet with certificate based authentication. Was there any other issue with allowing raw html in forums, wimpy point, etc. Thanks.
Collapse
2: Re: html filtering (response to 1)
Posted by Jade Rubick on 05/19/03 11:01 PM
There is a parameter for allowed HTML tags. You might be able to turn it off there. Or enter all the allowed HTML tags? I'm not sure if there's a switch to turn all HTML filtering off.

Even with an Intranet, there could be concerns letting people have unfiltered HTML. A malicious user that knew what they were doing could break in and steal anything that was valuable on the Intranet.

Collapse
4: Re: html filtering (response to 2)
Posted by Joel Aufrecht on 05/20/03 01:44 AM
Go to /admin/site-map/ and select ACS Kernel [set parameters]. In the "Antispam" category you can add to the lists of allowed tags and attributes. I'm not aware of an attribute to disable HTML filtering altogether.
Collapse
3: Re: html filtering (response to 1)
Posted by Tom Mizukami on 05/20/03 02:02 AM
Thanks Jade. I found the kernel parameter in the antispam section where I can list allowed tags. I was just wondering if there was an all_html flag somewhere.

Our users are used to copying and pasting the html source of sites under scrunity. I need to preserve this functionality.

This intranet holds some very private and low level classified information thus there is no connection between the internet and the intranet. In order to pull off a cross site attack the attacker would have to first break the virtual machine isolation.

Thanks Joel - you posted while I was typing.

Collapse
5: Re: html filtering (response to 3)
Posted by Claudio Pasolini on 05/20/03 08:24 AM
Look at ad_page_contract and you will find the allhtml flag.
Collapse
6: Re: html filtering (response to 5)
Posted by Tilmann Singer on 05/20/03 04:48 PM
Either change html to allhtml on every page or you could try hacking the ad_page_contract_filter_rule_proc_html proc in packages/acs-tcl/tcl/tcl-documentation-procs.tcl to allow any html on your site. That'd be easier since it would be a changein only one place.

I hope it is clear though that although your system is propably sufficiently protected from attackers from the outside world, these modificiations open it up to CSRF attacks from internal users, e.g. one user could steal all the private data from all the other users.

Collapse
7: Re: html filtering (response to 1)
Posted by Tom Jackson on 05/20/03 06:09 PM

I thought that you could still invoke these cross site scripting programs by including an image tag, or providing an anchor tag that when followed, would activate the program in the context of the clicker.

Collapse
8: Re: html filtering (response to 1)
Posted by David Cotter on 05/21/03 03:56 PM
I hacked this before in ./packages/acs-tcl/tcl/text-html-procs.tcl  in version 4.6 to allow all HTML to be posted on the forums:

diff text-html-procs.tcl text-html-procs.tcl~
596,597c596
<          #set tagname [string tolower [string range $html [lindex $name_idx 0] [lindex $name_idx 1]]]
<          set tagname "li"
---
<blockquote>          set tagname [string tolower [string range $html [lindex $name_idx 0] [lindex $name_idx 1]]]
</blockquote>
615,616c614
<                  #set attr_name [lindex $attribute 0]
<                  set attr_name "href"
---
<blockquote>                  set attr_name [lindex $attribute 0]
</blockquote>