Forum OpenACS Development: Saving Javascript and CSS in the HTML area of Widget

Request notifications

Hi there,

Within the HTML area of Widget, I want to save Javascript, especially script that displays google adverts and amazon code.

Enhanced Text is saved as a format in the widget.

However, the HTML format is not saved.

How do I set up the HTML format so it will be saved?

If the HTML format can be saved, will that allow users to save their Javascript code?

This widget used on these forums permits all 4 formats to be saved, and our widget won't save the HTML format. Is there a parameter I should change?


Posted by Julieanne van Zyl on

We are looking for someone we can pay to get this to work, this is why we are looking at solutions.

Does anyone know if this is a quick fix?

Is the code already there to save in HTML?

Or, does new code have to be written to save Javascript code within the HTML format?

Thanks in advance.


Posted by Gustaf Neumann on
I am not sure if i understand your question: openacs comes with two rich text editors (RTE and xinha) that output/display only HTML. if the richtext-widget is used, but the richt-text-editors are disabled, HTML content can be provided directly as well. For example xowiki uses xinha (see e.g.

So, saveing HTML (-fragments) is not a problem at all. The question is, whether you really want to allow users to provide javascript code, since this opens your site to a wide range of cross site scripting attacks. Therefore the default configuration for HTML is to disallow tags that are a potential risk. You can as a site admin add any kind of tags to the list of permitted tags.

Hi Gustaf, thanks for responding.

We can save HTML fragments with the format "Enhanced Text" from the pull down box at the bottom of the HTML area box.

Our users were using Javascript code before we migrated to OpenACS and we want to allow them to use it again.

As a site admin, where do I add the tags to the list of permitted tags?

Is that within the acs-templating package?

Go to /admin/site-map and select 'Kernel' under the heading 'Services'. Here you will find the 'AllowedAttribute' and 'AllowedTag' parameters.
This being so hard to find reminds me that we should probably update the default lists of allowed tags and attributes (they are pretty crusty).

Here is the list from the 5.2 branch for review:


align alt border cellpadding cellspacing color face height href hspace id name size src style target title valign vspace width

Here is an updated list from one of the more conservative OpenACS servers I run:

a abbr acronym address b big blockquote br caption cite code col colgroup del dfn div dd dl dt em font h1 h2 h3 h4 h5 h6 hr i li ins ol p pre q s samp span strike strong sub sup table tbody td tfoot th thead tr tt u ul var EMAIL FIRST_NAME LAST_NAME GROUP_NAME

abbr align alt axis bgcolor border cellpadding cellspacing char charoff charset cite class classid clear color colspan datetime dir face frame headers height href hreflang hspace id longdesc name rel rev rowspan rules scope size src style target title type valign vspace width

Anyone see any problems with these two lists? Any additions? We should update these before the next release imho.

Carl, here is some feedback mostly about the tags,
i have not looked at the attributes in detail.

we should allow tags from html 4.01 excluding these
- programmatical elements (forms, form elements, applet, object, map, script/noscript),
- head elements (link, title, meta, ...),
- frames
- style

Potentially dangerous are tags/attributes allowing urls, which have to be checked to disallow javascript: and which point to untrusted sites. oacs already checks for untrusted protocols, but it is very hard to do this everywhere (e.g. parsing inline styles). so, potential dangerous are
- A and
- IMG,
- but as well the STYLE attribute.

The XSS page lists e.g.

<>DIV STYLE="background-image: url(javascript:alert('XSS'))">


<DIV STYLE="width: expression(alert('XSS'));">

which are dangerous for some browsers.

So, the STYLE attribute is dangerous and should be handled with care (e.g. not in the default configuration).

Other attributes like e.g. CLASS can be used to confuse the user (e.g. using style elements from the navigation) or might break code (using ID, when javascript elements of oacs search for IDs and find unexpected occurrences)

here is a slightly completed and sorted list of HTML 4.01 elements:

abbr acronym address b big blockquote br caption cite code col
colgroup dd del dfn div dl dt em fieldset font h1 h2 h3 h4 h5 h6 hr i
ins kbd legend li ol p pre q s samp small span strike strong sub sup
table tbody td tfoot th thead tr tt u ul var

i am not sure if we should allow the ms office tags in the web pages, since these will cause errors on HTML conformance tests.

In general, we should distinguish between public content (so special rights are required to provide HTML content) like in a public forum, where a conservative policy is required, and somewhat trusted and known content developers, where a more liberal policy can be used.

For the general user i would ask myself, why do we want to allow e.g. CLASS, STYLE or ID, what do we gain by doing so. The general policy should stay conservative.

Posted by Dave Bauer on
OpenACS definitely needs a way to assign different HTML security policies based on who is editing what.

For a site administrator editing the home page, we most likely need to allow any HTML, but for a regular user posting a forum message, we would need to be more conservative.

One thing I tried was to just skip HTML security for site-wide admins, which solves the problem for the simplest sites.

Posted by Julieanne van Zyl on
Hi everyone, this helps a LOT thank you very much!!

I found them now.

Is it possible to specify different allowed tags for different packages?

For example, we want the default tags for Forum posts.

For Blogs and Library files, we would like to allow more tags so people can place their amazon adverts and google adverts, and some other javascript like webrings etc..

regards, Julieanne