Forum .LRN Q&A: Re: Custom Portlet

Forum .LRN Q&A: Re: Custom Portlet - Strange Behavior

7: Re: Custom Portlet - Strange Behavior (response to 1)

Posted by Nima Mazloumi on 11/04/03 06:28 PM

I think the description should allow html formatting elements like b, hr, h1...h7, ul, ol, li, tables, div, img, font, object, span, p, strong, br...

The list is long. Maybe one should think of excluding those that might be a security hole.

But how do you think is it possible to abuse that? Isn't there a parameter in in the Kernel where I can explizitly allow elements and attributes. Then the administrator is able to decided what is permitted and what not. I think this would be a better solution.

What do you think?

8: Re: Custom Portlet - Strange Behavior (response to 7)

Posted by Dirk Gomez on 11/04/03 06:41 PM

If I evaluate variables, I may also evaluate code. The current templating system definitely allows that. You can - unfortunately - still embed TCL constructs in your ADP snippets and the get evaluated.

Now some mailicious user can come along and embed stuff like [rm -rf /] and that command will be executed with the rights of the webserver on the filesystem. You definitely don't want that.

(Maybe this doesn't apply in this particular case because new-portal does something unusual. Can someone confirm?)

Any snippet of html is potentially dangerous. You can always sneak in javascript e.g. even on the bold tag. And new-portal comes with its own templating system and isn't yet fully affected by the noquote patch. (See https://openacs.org/bugtracker/openacs/bug?bug%5fnumber=952).