Forum OpenACS Q&A: Edit-this-page and FORMs

Collapse
1: Edit-this-page and FORMs
Posted by Peter Holzleitner on 04/14/05 10:59 AM
For a particular site, I'm using Edit This Page with all HTML tags and attributes allowed - this is for friendly admins only.

A page saved as HTML is stored & displayed correctly except for one "minor" issue - anything between FORM ... /FORM tags is cleanly cut out of the result.

Is there a way to turn this "feature" off, i.e. allow FORMs in pages? Alternatively, where is this behaviour implemented so that I can reconfigure it with my good ol' axe?

TIA
--Peter

Collapse
2: Re: Edit-this-page and FORMs (response to 1)
Posted by Eric Wolfram on 04/14/05 07:32 PM
I think this is a security risk. They don't allow image tags or even tags like in the etp either. I'm not sure why it's a security risk...if someone gets admin privilages to acs then they could add an image or form that do nasty things to the server perhaps? Any comments or pointers to info on why etp doesn't allow certain HTML tags?

I certainly would like to allow privilaged users to add image tags to some etp pages on a travel site I'm doing!
e

Collapse
3: Re: Edit-this-page and FORMs (response to 1)
Posted by Eric Wolfram on 04/14/05 07:36 PM
strang...the forum seamed to accept my 'small' tag even though it shouldn't have, at least according to the standard error message...

" For security reasons we only accept the submission of HTML containing the following tags: B I P A LI OL UL EM BR TT SPAN STRONG STRIKE BLOCKQUOTE CODE PRE FIRST_NAMES LAST_NAME EMAIL GROUP_NAME H1 H2 H3 H4 DL DT DD TABLE TR TD TH SELECT OPTION SMALL STYLE."

Collapse
4: Re: Re: Edit-this-page and FORMs (response to 2)
Posted by Peter Holzleitner on 04/14/05 07:56 PM
The tags you believe "they" don't allow can be configured - look at the AllowedTag parameter of the OACS Kernel.

To repeat: That is not my problem, and I understand about security but NEED to have forms there. Yes, I also understand how to create a page outside ETP and refer to this, but that's a very lame workaround - it HAS to work from within ETP.

Collapse
5: Re: Edit-this-page and FORMs (response to 1)
Posted by Dave Bauer on 04/14/05 08:04 PM
Peter,

I can imagine there is a nicer way to do what you want. Anyway look in ad_text_html_covert and related procedures in packages/acs-tcl/tcl/text-html-procs.tcl

I looked into this before and I am pretty sure the conversion procedures are causing it.

Collapse
6: Re: Edit-this-page and FORMs (response to 1)
Posted by Eric Wolfram on 04/15/05 12:33 AM 
<blockquote>The tags you believe "they" don't allow can be configured - 
</blockquote>

Yikes -- me -- I dislike that "they" the most! Thanks for 
pointing that out. I have images in ETP, thank you. 

<blockquote>To repeat: NEED to have forms there. 
</blockquote>

I could see how forms in etp would be nice too. I see the issue and I can reproduce it -- no forms in etp. This comment in text-html-proc.tcl looks suspicious

        # LARS: Only close tags which we aren't supposed to remove
        if { ![string equal $syn($tag) "discard"] && ![string equal $syn($tag) "remove"] } {
            append out "</$tagstack($i)>"
        }
    }

gotta go -- kid cryin'. Post back here if you figure it out...
e