Search · Index


Showing 1 - 10 of 657 Postings (summary)

Assessment Admin UI

Created by Caroline Meeks, last modified by Gustaf Neumann 05:25 AM, Friday


  • Update this page with the latest work
  • Carl will fill in here... 

 The current UI is very confusing and cluttered.

Our vision of a final UI is that a assessment creator would pick a type of assessment he wants and the site will set all defaults appropriately for it. However, the first attempt to do this was a failure so we are working on an incremental approach that we think will provide value with minimal effort. Our intent is that later we move to an even friendlier UI.

 Incremental Improvement Vision:  The current user experience is: every time you create anything you are confronted by many many choices, most of which you can ignore. Similarly all the admin pages have many repeated buttons and its not clear when you want to do what.  Thus our goal is:

  • Creation pages are very very simple and useful defaults are set for everything.
  • Objects then have one button to an Edit page that has all the complex things you can do with the object.

Related Pages:


These are screenshots of the work in progress.


Simplified quick assessment creation form. 


One Assessment Admin Page 


One Section Admin Page



 Add a question page.

First the original question form:

Now the new form. The question creation process used to require filling out 3 forms. We compressed it to one form by removing unused settings, and making intelligent default decisions. Some more work needs to be done. Assessment has a huge amount of complex features and it is not clear how they are used together to create a certain type of assessment. It is clear that all of the settings rarely need to be used together.


Official Test Servers

Created by Gustaf Neumann, last modified by Gustaf Neumann 11:53 AM, Thursday

Currently none

{done} OpenACS 5.3.x releases

Created by Rocael Hernández Rizzardini, last modified by Gustaf Neumann 11:53 AM, Thursday

OpenACS 5.3.x Releases

Update: OpenACS 5.3.0a1 is available for download or by checking out openacs-5-3-0a1 tag from CVS. Work continues on the oacs-5-3 branch in CVS

The main goal is to have acs-core to pass all the automated tests (PG 8.1.x & Oracle 9i).

We plan to branch for oacs-5-3 in September 2006. 

Many bug stomp where we actually create, fix, update tests for acs-core has been done. 

Bug-stomp: 21-22 sept. 06. Focus on have all the actual test pass for acs-core (no more new test), plus start classifying the bugs in the bug-tracker. Based on the results of this bug-stomp we'll decide when to branch and what should be included (bug-fixes) in next release.


Check the Official Test Servers



Feature Requests for's XoWiki

Created by Robert Taylor, last modified by Gustaf Neumann 08:51 AM, Thursday


Most of the Feature Request are complete.  THANK YOU GUSTAF AND DAVE! I am adding a few minor enhancement requests and removing the completed requests.


Some comments to the requests from Gustaf Neumann

Comments and responses by Robert Taylor

Feature Requests:

1.  DELETING DOCUMENTS - Normal users should not have DELETE privileges, but administrators should.  As an administrator I don't see a DELETE option in the menu in the top right hand of ever page.  Perhaps DELETE should go between NEW PAGE and INDEX items.

    Added delete button on the view page. mostly useful, when the default listing of all entries is replaced by a tailored index page

2.  HIERARCHICAL CATEGORIES - Left hand menu needs to properly show SUBCATEGORY WITHING SUBCATEGORY in a hierarchical relationship.  Clearly one thing we will have to take into consideration is hierarchy layout and spacing issues - do we preload all categories or do we just preload a preset number of levels down and then dynamically load the rest below a certain threshold. Dave mentioned the ui component has to be coded up to handle that type of layout.

     Hierarchical display of categories added to the version in CVS head. Spacing is a matter of style-sheets.  

3.  XINHA SUPERPOWERS - Xinha is one amazing editor, and just looking at their page it's still  not complete.  I think we need to look at stripping some of the features out of our Xinha install on XoWiki.  This should probably be based around generating a STYLE GUIDE for the wiki and basing our Xinha hacking on that.  Dave mentioned it is possible to take away Xinha features fairly easily so we will look at that further.

 xinha is configured via plugins (see ). xowiki uses per default the following settings, which are some standard options plus the OacsFs plugin contributed by Günter Ernst and me.  The standard behavior  can be modified by the settings of the WikiForm (in xowiki-procs) for the whole installation. a per-instance setting will follow in the future

4.  ADMINISTRATION SECTION - If you select the "WOIKI" item in the location area on the page (OpenACS Home : xowiki : New XoWiki Page) the link seems to alternate between the INDEX page and ADMIN page although it seems a bit random.  I think this is probably a bug, but it should be changed to the following:

a) Selecting XOWIKI in the location of the page should always go to INDEX just like the item "INDEX" the the wiki page UI does. 

b) For administrator we should add and item ADMIN to the wiki page admin menu so that the administrator can go to the admin section and work on templates, delete documents, etc.

 can't reproduce a. xowiki in the breadcrums and index both point to oacs.orig/xowiki, so they should return same values. in earlier versions  there was a caching bug, which is - i think - gone since end of Feb.

concerning permissions etc. currently, xowiki uses a simple permission system: it checks write permissions on the folder, these write permissions are used distinguishing admins and readers. future versions should have a much richer permission system, where one can use alternatively different permissions policies based on per page permissions (this is however, much more expensive and will use much less caching). for now, do you folks want in addition to the new delete entry also an admin button in case a user has write permissions on the folder?

5.  PRINT PAGE - All users should have an item in the wiki page menu (for every wiki page) labeled "PRINT".  This action would refresh the page content and / or bring up a popup with the content of the page in a printer friendly format without various user interface components.

6.  IMPORT / EXPORT DIR TREE - The ability to import/export a directory tree of XoWiki documents has use for and arguably as a general XoWiki feature. In the case of OpenACS, exporting would allow these /xowiki pages to be saved into static pages so that they can be read independently of and independent of having a local running OpenACS system.

Problem example: OpenACS moves documentation to XoWiki. Documentation is no-longer available as static pages on local machine(s). Users/admins become dependent on reading docs from or spidering the pages using wget etc.. of course most likely during the busiest times that OpenACS is being accessed ;) etc. etc.

7.  PAGE REVISION (AS TIMESTAMP) - Exporting files (request 6) would bring about questions of comparing file exports (at least on a page by page basis). Having a page revision displayed on each page as a timestamp would help to reduce any ambiguity as to which statically exported page is more current --regardless of export technique (wget, XoWiki export feature etc.)




  • xowiki is not visible in IE. Must be a CSS issue. Has someone an idea why this happens?
    • no kidding?!  doesn't work in i.e. will post bug
    • fixed. this was an unclosed script tag in the  xowiki installation on
  • For some reason I always get a popup window: "Error reading Language-File (/resources/acs-templating/xinha-nightly/plugins/OacsFs/lang/de.js) - Syntax Error: missing ; before statement"
    • must be something on, does not show-up on other installations. i have developed the plugin, and do not have the mentioned file.
  • The CodeMatrix includes need a little clean up: left alignment and top valignment for each heading
    • must be done by someone at or vinod. most probable some CSS fiddling.


  • Page language: Wouldn't it be more readable and less technical if we would not display the language shortcut "en:" or other before each link to a wiki page?
    • one can use arbitrary labels in a reference between square brackets.
  • The category tree on the left breaks long names which is ok but the next line should have more left margins in order to start right after the dot. Another solution would be to cut off the tail of long names
    • CSS fiddling. should be done by someone with CSS knowledge and  taste. uses currently the original settings from|mktree

Further Features

  • support for NOTIFICATIONS for xowiki so that you are notified if a page was added or changed
  • List view for category nodes that displays all children on the right when you click on it.
    • don't understand. you mean, without expanding the current page?
  • Display the name of the person who edited the page in "Latest Page edits (ADP portlets/categories-recent {name {Recent Entries by Categories} max_entries 30)


  • Any chance that we ca define a sub type PackagePage that automatically provides the info, bug-tracker and code metric includes?
  • Some kind of traffic lights that shows green, yellow or red depending on the maturity of the package, db support
  • More categorization for packages: Core, Non-Core is too technical, no?
  • When clicking on a category it would be great if the list of all packages within the category are displayed as APM does on upgrade/installation time.
    • sounds like a different or additional category tree


F. A. Q.

Created by Robert Taylor, last modified by Gustaf Neumann 17 Oct 2017, at 08:40 AM

Previous version of FAQ (with many more Q and A):  /faq 

A cookbook of procedures is available at: OpenACS Cookbook 

Install OpenACS distribution

Created by OpenACS community, last modified by Gustaf Neumann 11 Oct 2017, at 08:42 AM

You should have an OpenACS distribution downloaded and available at /var/lib/aolserver/$OPENACS_SERVICE_NAME, otherwise en:Get_the_Code.

Option 1: Use an automated script

A bash script is available to automate all of the steps for the rest of this section. It requires tclwebtest. The automated script can greatly accelerate the install process, but is very sensitive to the install environment. We recommend that you run the automated install and, if it does not work the first time, consider switching to a manual installation.

Get the install script from CVS. It is located within the main cvs tree, at /etc/install. Use anonymous CVS checkout to get that directory in the home directory of the service's dedicated user. We put it there so that it is not overwritten when we do the main CVS checkout to the target location.

[root root]# su - $OPENACS_SERVICE_NAME
[$OPENACS_SERVICE_NAME $OPENACS_SERVICE_NAME]$ cvs -d co -d install openacs-4/etc/install
cvs server: Updating install
U install/README
U install/TODO
  ... many lines omitted ...
U install/tcl/twt-procs.tcl
U install/tcl/user-procs.tcl
[$OPENACS_SERVICE_NAME install]$ emacs install.tcl

Edit the installation configuration file, /home/$OPENACS_SERVICE_NAME/install/install.tcl and update the site-specific values, such as the new service's IP address and name, which will be written into the new service's config.tcl file. If your system is different from the one described in the previous sections, check the file paths as well. Set do_checkout=yes to create a new OpenACS site directly from a CVS checkout, or =no if you have a fully configured site and just want to rebuild it (drop and recreate the database and repeat the installation). If you have followed a stock installation, the default configuration will work without changes and will install an OpenACS site at

Run the install script as root:

[root root]# sh /home/$OPENACS_SERVICE_NAME/install/
/home/$OPENACS_SERVICE_NAME/install/ Starting installation with config_file 
/home/$OPENACS_SERVICE_NAME/install/install.tcl. Using serverroot=/var/lib/aolserver/
$OPENACS_SERVICE_NAME, server_url=, do_checkout=yes, do_install=yes, 
dotlrn=no, and database=postgres., use_daemontools=true
  ... many lines omitted ...
Tue Jan 27 11:50:59 CET 2004: Finished (re)installing /var/lib/aolserver/$OPENACS_SERVICE_NAME.
  New site URL:
admin email   :
admin password: xxxx
[root root]#

If there are no errors, you can browse to the "Welcome" page of your server. Be sure to visit en:docs-admin for administration help and en:docs-dev-tutorial for tutorials.

Option 2: Install available distribution

Secure the directory so that only the owner can access it. Check the permissions by listing the directory.

[root root]# su - $OPENACS_SERVICE_NAME
[$OPENACS_SERVICE_NAME aolserver]$ tar xzf /var/tmp/openacs-5.2.0d1.tgz
[$OPENACS_SERVICE_NAME aolserver]$ mv openacs-5.2.0d1 $OPENACS_SERVICE_NAME
[$OPENACS_SERVICE_NAME aolserver]$ ls -al
total 3
drwxrwx---    3 root     web          1024 Mar 29 16:41 .
drwxr-xr-x   25 root     root         1024 Mar 29 16:24 ..
drwx------    7 $OPENACS_SERVICE_NAME web          1024 Jan  6 14:36 $OPENACS_SERVICE_NAME
[$OPENACS_SERVICE_NAME aolserver]$ exit
[root root]#
cd /var/lib/aolserver
tar xzf /var/tmp/openacs-5.2.0d1.tgz
mv openacs-5.2.0d1 $OPENACS_SERVICE_NAME

Prepare the database

Prepare Oracle for OpenACS. If you won't be using Oracle, skip to Prepare PostgreSQL for an OpenACS Service

You should be sure that your user account (e.g. $OPENACS_SERVICE_NAME) is in the dba group.

  1. Verify membership by typing groups when you login:

    [$OPENACS_SERVICE_NAME ~]$ groups
    dba web

    If you do not see these groups, take the following action:

    Password: ************
    [root ~]# adduser $OPENACS_SERVICE_NAME dba

    If you get an error about an undefined group, then add that group manually:

    [root ~]# groupadd dba
    [root ~]# groupadd web

    Make sure to logout as root when you are finished with this step and log back in as your regular user.

  2. Connect to Oracle using svrmgrl and login:

    [$OPENACS_SERVICE_NAME ~]$ svrmgrl
    SVRMGR> connect internal


  3. Determine where the system tablespaces are stored:

    SVRMGR> select file_name from dba_data_files;

    Example results:



  4. Using the above output, you should determine where to store your tablespace. As a general rule, you'll want to store your tablespace on a mount point under the /ora8 directory that is separate from the Oracle system data files. By default, the Oracle system is on m01, so we will use m02. This enables your Oracle system and database files to be on separate disks for optimized performance. For more information on such a configuration, see Chapter 12 of Philip's book. For this example, we'll use /ora8/m02/oradata/ora8/.

  5. Create the directory for the datafile; to do this, exit from svrmgrl and login as root for this step:

    SVRMGR> exit
    Password: ************
    [root ~]# mkdir -p /ora8/m02/oradata/ora8/
    [root ~]# chown $OPENACS_SERVICE_NAME:web /ora8/m02/oradata/ora8
    [root ~]# chmod 775 /ora8/m02/oradata/ora8
    [root ~]# exit
  6. Create a tablespace for the service. It is important that the tablespace can autoextend. This allows the tablespace's storage capacity to grow as the size of the data grows. We set the pctincrease to be a very low value so that our extents won't grow geometrically. We do not set it to 0 at the tablespace level because this would affect Oracle's ability to automatically coalesce free space in the tablespace.

    [$OPENACS_SERVICE_NAME ~]$ svrmgrl
    SVRMGR> connect internal;
    SVRMGR> create tablespace $OPENACS_SERVICE_NAME
          datafile '/ora8/m02/oradata/ora8/$OPENACS_SERVICE_NAME01.dbf' 
          size 50M 
          autoextend on 
          next 10M
          maxsize 300M
          extent management local
          uniform size 32K;
  7. Create a database user for this service. Give the user access to the tablespace and rights to connect. We'll use $OPENACS_SERVICE_NAMEpassword as our password.

    Write down what you specify as service_name (i.e. $OPENACS_SERVICE_NAME) and database_password (i.e. $OPENACS_SERVICE_NAMEpassword). You will need this information for configuring exports and AOLserver.

    SVRMGR> create user $OPENACS_SERVICE_NAME identified by $OPENACS_SERVICE_NAMEpassword default tablespace $OPENACS_SERVICE_NAME
        temporary tablespace temp quota unlimited on $OPENACS_SERVICE_NAME;
    SVRMGR> grant connect, resource, ctxapp, javasyspriv, query rewrite, create view, create synonym to $OPENACS_SERVICE_NAME;
    SVRMGR> revoke unlimited tablespace from $OPENACS_SERVICE_NAME;
    SVRMGR> alter user $OPENACS_SERVICE_NAME quota unlimited on $OPENACS_SERVICE_NAME;
    SVRMGR> exit;

    Your table space is now ready. In case you are trying to delete a previous OpenACS installation, consult these commands in the section called “Deleting a tablespace” below.

  8. Make sure that you can login to Oracle using your service_name account:

    SQL> select sysdate from dual;
    SQL> exit;

    You should see today's date in a format 'YYYY-MM-DD.' If you can't login, try redoing step 1 again. If the date is in the wrong format, make sure you followed the steps outlined in the section called “Troubleshooting Oracle Dates”

Prepare PostgreSQL for an OpenACS Service.

  • PostgreSQL:

    Create a user in the database matching the service name. With default PostgreSQL authentication, a system user connecting locally automatically authenticates as the postgres user of the same name, if one exists. We currently use postgres "super-users" for everything, which means that anyone with access to any of the openacs system accounts on a machine has full access to all postgresql databases on that machine.

    [root root]# su - postgres
    [postgres pgsql]$ createuser -a -d $OPENACS_SERVICE_NAME
    [postgres pgsql]$ exit
    [root root]#
  • Create a database with the same name as our service name, $OPENACS_SERVICE_NAME.

    [root root]# su - $OPENACS_SERVICE_NAME
  • Automate daily database Vacuuming. This is a process which cleans out discarded data from the database. A quick way to automate vacuuming is to edit the cron file for the database user. Recommended: VACUUM ANALYZE every hour and VACUUM FULL ANALYZE every day.


    Add these lines to the file. The vacuum command cleans up temporary structures within a PostGreSQL database, and can improve performance. We vacuum gently every hour and completely every day. The numbers and stars at the beginning are cron columns that specify when the program should be run - in this case, whenever the minute is 0 and the hour is 1, i.e., 1:00 am every day, and every (*) day of month, month, and day of week. Type man 5 crontab for more information.

    0 1-23 * * * /usr/local/pgsql/bin/vacuumdb --analyze $OPENACS_SERVICE_NAME
    0 0 * * * /usr/local/pgsql/bin/vacuumdb --full --analyze $OPENACS_SERVICE_NAME

    Depending on your distribution, you may receive email when the crontab items are executed. If you don't want to receive email for those crontab items, you can add > /dev/null 2>&1 to the end of each crontab line

    At this point the database should be ready for installing OpenACS.

Configure an AOLserver Service for OpenACS.

  1. The AOLserver architecture lets you run an arbitrary number of virtual servers. A virtual server is an HTTP service running on a specific port, e.g. port 80. In order for OpenACS to work, you need to configure a virtual server. The Reference Platform uses a configuration file included in the OpenACS tarball, /var/lib/aolserver/$OPENACS_SERVICE_NAME/etc/config.tcl. Open it in an editor to adjust the parameters.

    [root root]# su - $OPENACS_SERVICE_NAME
    [$OPENACS_SERVICE_NAME etc]$ emacs config.tcl

    You can continue without changing any values in the file. However, if you don't change address to match the computer's ip address, you won't be able to browse to your server from other machines. See en:aolserver-admin for an explanation of some other values you might want to change in the config.tcl file.

Verify AOLserver startup.

  1. Kill any current running AOLserver processes and start a new one. The recommended way to start an AOLserver process is by running the included script, /var/lib/aolserver/$OPENACS_SERVICE_NAME/etc/daemontools/run. If you are not using the default file paths and names, you will need to edit run.

    If you want to use port 80, there are complications. AOLserver must be root to use system ports such as 80, but refuses to run as root for security reasons. So, we call the run script as root and specify a non-root user ID and Group ID which AOLserver will switch to after claiming the port. To do so, find the UID and GID of the $OPENACS_SERVICE_NAME user via grep $OPENACS_SERVICE_NAME /etc/passwd and then put those numbers into the command line via -u 501 -g 502. In AOLserver 4, you must also send a -b flag. Do this by editing the run file as indicated in the comments.

    If you are root then killall will affect all OpenACS services on the machine, so if there's more than one you'll have to do ps -auxw | grep nsd and selectively kill by job number.

    [$OPENACS_SERVICE_NAME etc]$ killall nsd
    nsd: no process killed
    [$OPENACS_SERVICE_NAME $OPENACS_SERVICE_NAME]$ /usr/local/aolserver/bin/nsd-postgres -t /var/lib/aolserver/$OPENACS_SERVICE_NAME/etc/config.tcl
    [$OPENACS_SERVICE_NAME $OPENACS_SERVICE_NAME]$ [08/Mar/2003:18:13:29][32131.8192][-main-] Notice: nsd.tcl: starting to read config file...
    [08/Mar/2003:18:13:29][32131.8192][-main-] Notice: nsd.tcl: finished reading config file.
  2. Attempt to connect to the service from a web browser. You should specify a URL like: http://yourserver.test:8000

    You should see a page that looks like this, otherwise check the en:aolserver-admin Troobleshooting secton.

Configure a Service with the OpenACS Installer. Now that you've got AOLserver up and running, let's install OpenACS 5.2.0d1.

  • You should see a page from the webserver titled OpenACS Installation: Welcome. You will be warned if your version of the database driver is out of date, if AOLserver cannot connect to the database, if any modules are missing or out-of-date, or if there are any problems with filesystem permissions on the server side. But if everything is fine, you can click Next to proceed to load the OpenACS Kernel data model.

  • The next page shows the results of loading the OpenACS Kernel data model - be prepared to wait a few minutes as it works. You should see a string of output messages from the database as the datamodel is created. You'll see the line:

    Loading package .info files ... this will take a few minutes

    This will really take a few minutes. Have faith! Finally, another Next button will appear at the bottom - click it.

  • The following page shows the results of loading the core package data models. You should see positive results for each of the previously selected packages, but watch out for any errors. Eventually, the page will display "Generating secret tokens" and then "Done"- click Next.

  • You should see a page, "OpenACS Installation: Create Administrator" with form fields to define the OpenACS site administrator. Fill out the fields as appropriate, and click Create User.

  • You should see a page, "OpenACS Installation: Set System Information" allowing you to name your service. Fill out the fields as appropriate, and click Set System Information

  • You'll see the final Installer page, "OpenACS Installation: Complete." It will tell you that the server is being restarted; note that unless you already set up a way for AOLserver to restart itself (ie. inittab or daemontools), you'll need to manually restart your service.

    [$OPENACS_SERVICE_NAME $OPENACS_SERVICE_NAME]$ /usr/local/aolserver/bin/nsd-postgres -t /var/lib/aolserver/$OPENACS_SERVICE_NAME/etc/config.tcl
  • Give the server a few minutes to start up. Then reload the final page above. You should see the front page, with an area to login near the upper right. Congratulations, OpenACS <version> is now up and running!


Upgrade to OpenACS 5.9

Created by Gustaf Neumann, last modified by Gustaf Neumann 05 Oct 2017, at 09:20 AM

Upgrades from earlier version than OpenACS 5.8 should read upgrade-oacs-5-8.

OpenACS 5.9 requires PostgreSQL 9.0 or newer and XOTcl 2.0 or newer (part of the nsf package). XOTcl 2.0 can be installed e.g. via install-ns, or from Debian sid , or from sources . In order to check the versions of these packages already installed in your OpenACS installation, check the output of /xotcl/version-numbers in your installation.

Before upgrading to OpenACS 5.9, upgrade all packages in your current installation to recent versions in your OpenACS 5.8 installation (i.e. in the oacs-5-8 channel, especially if you are using edit-this-page, which has bugs in its data model that can complicate the oacs-5-9 installation).

In general it is always recommended to backup your current installation before overwriting it. Make e.g. a tar archive of all files of the OpenACS tree and a database dump.

After upgrading the packages in the oacs-5-8 channel,  the following steps are recommended:

  • Restart the server with OpenACS 5.8
  • Install newest version of the source files (e.g. from the OpenACS 5.9 tar distributions, or install/upgrade from the oacs-5-9 branch from cvs),
  • Upgrade the acs-core packages via package manager, restart server
  • Upgrade/install application packages via package manager as needed (from file-system or from repository)

To upgrade from OpenACS 5.9.0 to OpenACS 5.9.1 it is recommended to upgrade via tar ball or via CVS. Upgrade from repository works for NaviServer, but leads to an error after the install steps with AOLserver (the installation is ok, after a restart, everything is ok).



Installing OpenACS on Windows

Created by Maurizio Martignano, last modified by Maurizio Martignano 02 Oct 2017, at 06:45 PM

Windows-OpenACS (vers. 4.0.5 - October 2017) is a  Windows 64 port of OpenACS 5.9.1 and the latest snapshot of NaviServer and is available here.

This port installs and runs on the following systems:

  • Windows 8.1,
  • Windows 10,
  • Windows Server 2012 R2, and
  • Windows Server 2016 TP.


Content Security Policy (CSP)

Created by Gustaf Neumann, last modified by Gustaf Neumann 18 Aug 2017, at 10:32 PM

Starting with version 5.9.1, OpenACS supports Content Security Policies (CSP), which is a means to secure websites against a range of Cross Side Scripting (XSS) attacks. In short, a CSP allows a developer to deactivate unneeded features in the browser of the client to provide there a sandbox with the minimum required capabilities. The CSP can allow e.g. just to retrieve .js files just form certain sites, or it can disallow script tags within the page, which might be injected by an attacker (for a more detailed introduction and tutorial, see CSP Reference , Google Developer Guide for CSP ).

In general, a CSP defines the rules what should be allowed in a page. This could be done static for the whole page, but this means that the CSP rules must allow everything which is needed on a page with the highest requirements (e.g. a page with a richtext editor needs probably a script-src 'unsafe-eval' directive). This could render CSP pretty useless.

Therefore, OpenACS supports a CSP generator, which generates a CSP rule-set for every page dynamically based on the requirements of the page. A web developer can specify the requirements of a page/proc with the command security::csp::require . For example, the current OpenACS theme uses in its plain-master the following directives.

security::csp::require img-src

security::csp::require style-src
security::csp::require script-src

security::csp::require font-src 'self'
security::csp::require font-src

Based on the directives of the pages and the directives of the master templates, the security policy of the pages is built (typically in the blank-master). For example, the content security policy of the start page of OpenACS is

default-src 'self';
font-src 'self' data:;
img-src 'self';
report-uri /SYSTEM/csp-collector.tcl;
script-src 'self' 'nonce-49DBB4A924EA648C3025F7DD8C2553DC0EC700D1';
style-src 'self' 'unsafe-inline';

With this CSP, gets an A+ rating from .

Deactivating CSP for a Site

Per default, the content security policies are turned on. All packages of the oacs-5-9 branch can be used with the enabled content security policies. However, when a website contains legacy code using JavaScript, for which no content security policies are defined, this will result into non-functioning pages. Therefore, a website administrator can set the package parameter CSPEnabledP (in the package parameters of ACS Kernel in "security" section) to "0" to deactivate the CSP.

For Developers

In order to make old packages (not included in the oacs-5-9 branch) or newly developed packages CSP compliant, one should be aware that all inline code is considered harmful. This includes <script> elements, but also "javascript:" URIs or on* event handlers.

<script> Elements

The CSP guidelines recommend to replace the such elements in favor of JavaScript files obtained from the same source as the page itself. However, this is not always practical, especially, when JavaScript is generated dynamically. In such cases, two approaches are possible to make the script tag acceptable (without allowing all scripts on the page). CSP 2 offers the ability to add nonces or cryptographic hashes to secure this elements. OpenACS supports the first approach.

A nonce value is essentially a one-time value which can't be predicted by an attacker. OpenACS generates by its security-procs such as value and saves it in a global variable ::__csp_nonce. This can be used in the Tcl code or in an ADP page like in the following example:

<script language="JavaScript" 
   <if @::__csp_nonce@ not nil> nonce="@::__csp_nonce;literal@"</if>

Event handlers and "javascript:" URI

Most work are probably changes concerning event handlers (e.g. onclick, onblur, ...) and "javascript:" URIs (having "javascript" in the protocol part of the URI). In general, such code pieces must be refactored (see e.g. 1  or 2  for examples).

OpenACS 5.9.1 offers to ease this process the function template::add_event_listener , which can be used to register event handlers in a compliant fashion either per HTML ID or per CSS class (see cal-item-new.tcl  or in forums/lib/message/row2.tcl  for examples, how add_event_listener can be used).




Richtext CKEditor 4

Created by Gustaf Neumann, last modified by Gustaf Neumann 15 Aug 2017, at 09:09 PM

Package specification Summary for package richtext-ckeditor4

Summary: Richtext editor plugin for integrating CKeditor 4 with acs-templating
Maturity: Mature
This package depends on: acs-templating acs-tcl xotcl-core attachments
Packages that depend on richtext-ckeditor4: xowiki

Bug Tracker Summary for package richtext-ckeditor4

There is no package with the name "richtext-ckeditor4" known to bug-tracker.

Code Metrics Summary for package richtext-ckeditor4

# Tcl Procs 9
# Tcl Lines 562
# Automated Tests 0
# Stored Procedures PG: 0 ORA: 0
# SQL Lines PG: 0 ORA: 0
# ADP pages 1
# ADP lines 20
# Include pages (richtext-ckeditor4/lib/) 1
# Documentation pages 0
# Documentation lines 0
Source API-browser

In general, the CKEditor can be used via CDN (zero configuration, default) or via local files. One can use /acs-admin/ (section Site-wide Service Administration to download a version to your local site to reduce latency or to use local modifications. By default, the "standard" preset is downloaded. By altering the variable "ck_package" in packages/richtext-ckeditor4/tcl/richtext-procs, one can download other presets as well (see ).

The CKEditor widget can be used at least in two scenarios: (a) as a richtext-widget or (b) within xowiki as a class of a form-field.

(a) Here is an example for the use of the richtext widget configured for ckeditor4, showing some options:

    {label "CKEditor"}
    {html {rows 15 cols 50}}
    {options {
        editor ckeditor4
        plugins wsc
        extraAllowedContent "u;span{color}"}

This minimal example should work with the "standard" distribution of CKEditor and adds the "wsc" (Web Spell Checker) plugin, and allows the tag <u>u and <span style="color:...">...</span> to be used in the content. Otherwise, these flags are removed by the context filter of the editor (for details, see CKEditor documentation ). Additional "options" are "skin" and "customConfig", where the latter refers to a JavaScript file which can be used for detailed configuration (for more details, see!/guide/dev_configuration ).

b) when used as a form-field within xowiki forms, there are detailed config options available: mode, displayMode, skin, toolbar, CSSclass, uiColor, allowedContent, customConfig, extraPlugins, extraAllowedContent, templatesFiles, templates, contentsCss, imageSelectorDialog, and additionalConfigOptions. A short introduction to form-fields is in . One should set the PreferredRichtextEditor (xowiki global parameter) to ckeditor4.

Next Page
previous October 2017
Sun Mon Tue Wed Thu Fri Sat
1 (1) 2 3 4 (1) 5 6 7
8 9 10 (1) 11 12 13 14
15 16 (1) 17 18 (3) 19 (2) 20 21
22 23 24 25 26 27 28
29 30 31 1 2 3 4

Popular tags

17 , 5.9.0 , 5.9.1 , ad_form , ADP , ajax , aolserver , asynchronous , bgdelivery , bootstrap , bugtracker , CentOS , COMET , CSP , CSRF , cvs , debian , emacs , engineering-standards , fedora , FreeBSD , guidelines , host-node-map , hstore , includelets , install , installation , installers , install-ns , javascript
No registered users in community xowiki
in last 30 minutes