Uploaded image for project: 'Sakai'
  1. Sakai
  2. SAK-38032

change filterhml mappings for 2.9.3

    Details

    • Type: Bug
    • Status: RESOLVED
    • Priority: Major
    • Resolution: Incorporated
    • Affects Version/s: 2.9.0
    • Fix Version/s: 2.9.0
    • Component/s: Lessons
    • Labels:
      None
    • Previous Issue Keys:
      LSNBLDR-276
    • Test Plan:
      Hide

      Test plan: the change here is to the mapping of lessonbuilder.filterhtml values to antisamy values.

      In principle you need to test every possible value of filterhtml with every possible value of system-wide anti-samy setting. This requires a number of restarts of the server. However in practice you might want to tests only what changed.

      To do the tests, you need to have a few samples of HTML.

      Sample 1 - embed. A piece of HTML code embedding a URL that works in antisamy low but not high.
      <p>
      <iframe frameborder="0" height="315" src="http://embed.ted.com/talks/jinsop_lee_design_for_all_5_senses.html" width="560"></iframe></p>

      Sample 2 - embed. A piece of HTML code embedding a URL that works in both low and high antisamy
      <p>
      <iframe frameborder="0" height="315" src="https://www.youtube.com/embed/0PKgnOn5w5U" width="560"></iframe></p>

      Sample 3 - javascript: <script>alert('foo');</script>

      The test is to do "add text", switch the editor to source mode, add the HTML, save, and see whether it actually took the change. The safest way to do that is edit, put the editor back into source mode, and see if it took the change.

      Here are possible values of lessonbuilder.filterhtml. Lines with * represent changes in this patch:

      For reference you may want to see sakai.properties file in the Security Settings section for documentation. It describes AntiSamy and legacy security settings.

      The following settings will inherit system-wide behavior of security settings :

      • property not in file, inherits the system-wide setting for anti-samy [old behavior: low]
      • null string, inherits the system-wide setting for anti-samy [old behavior: low]
      • "default": inherits system-wide setting

      Other settings:

      • "true", antisamy high [old behavior, low]
      • "high": anti-samy high
      • "false": no filtering
      • "none": no filtering
      • "low": anti-samy low

      Here are minimal tests to check just what changed. In addition to what changed, you might consider for each setting of content.cleaner trying a few randomly chosen settings to verify that they work.

      content.cleaner.use.legacy.html=true
      No change in behavior.
      To test other values, all values except "none" and "false" should prohibit both samples. None and false should allow everything.

      no value for content.cleaner, or content.cleaner.use.legacy.html and content.cleaner.default.low.security false
      lessonbuilder.filterhtml missing or blank should now prohibit both test cases
      lessonbuilder.filterhtml=true should now prohibit both test cases.
      To test other values, see the list above. no filtering should allow both test cases, low should allow the embed HTML but not the javascript. High should not allow either.

      content.cleaner.default.low=true
      No change in behavior
      To test other values, see the list above. No value or blank should prohibit the Javascript but allow the embed. no filtering should allow both test cases, low should allow the embed HTML but not the javascript. High should not allow either.

      Show
      Test plan: the change here is to the mapping of lessonbuilder.filterhtml values to antisamy values. In principle you need to test every possible value of filterhtml with every possible value of system-wide anti-samy setting. This requires a number of restarts of the server. However in practice you might want to tests only what changed. To do the tests, you need to have a few samples of HTML. Sample 1 - embed. A piece of HTML code embedding a URL that works in antisamy low but not high. <p> <iframe frameborder="0" height="315" src="http://embed.ted.com/talks/jinsop_lee_design_for_all_5_senses.html" width="560"></iframe></p> Sample 2 - embed. A piece of HTML code embedding a URL that works in both low and high antisamy <p> <iframe frameborder="0" height="315" src="https://www.youtube.com/embed/0PKgnOn5w5U" width="560"></iframe></p> Sample 3 - javascript: <script>alert('foo');</script> The test is to do "add text", switch the editor to source mode, add the HTML, save, and see whether it actually took the change. The safest way to do that is edit, put the editor back into source mode, and see if it took the change. Here are possible values of lessonbuilder.filterhtml. Lines with * represent changes in this patch: For reference you may want to see sakai.properties file in the Security Settings section for documentation. It describes AntiSamy and legacy security settings. The following settings will inherit system-wide behavior of security settings : property not in file, inherits the system-wide setting for anti-samy [old behavior: low] null string, inherits the system-wide setting for anti-samy [old behavior: low] "default": inherits system-wide setting Other settings: "true", antisamy high [old behavior, low] "high": anti-samy high "false": no filtering "none": no filtering "low": anti-samy low Here are minimal tests to check just what changed. In addition to what changed, you might consider for each setting of content.cleaner trying a few randomly chosen settings to verify that they work. content.cleaner.use.legacy.html=true No change in behavior. To test other values, all values except "none" and "false" should prohibit both samples. None and false should allow everything. no value for content.cleaner, or content.cleaner.use.legacy.html and content.cleaner.default.low.security false lessonbuilder.filterhtml missing or blank should now prohibit both test cases lessonbuilder.filterhtml=true should now prohibit both test cases. To test other values, see the list above. no filtering should allow both test cases, low should allow the embed HTML but not the javascript. High should not allow either. content.cleaner.default.low=true No change in behavior To test other values, see the list above. No value or blank should prohibit the Javascript but allow the embed. no filtering should allow both test cases, low should allow the embed HTML but not the javascript. High should not allow either.

      Description

      For 2.9.2, the default filterhtml was to use AntiSamy low. The system default was off, which resulted in use of the old filter code. In the end the Lessons default ended up doing the same thing, because with antisamy disabled, any Lessons setting other than none or false would call the traditional code.

      For 2.9.3, because the system default is AntiSamy high, it makes more sense for the Lessons default to simply inherit the system setting. Thus I'm changing the Lessons default to default, which means to use the system setting.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  hedrick Charles Hedrick
                  Reporter:
                  hedrick Charles Hedrick
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Git Source Code