Forum OpenACS Development: html filtering
Even with an Intranet, there could be concerns letting people have unfiltered HTML. A malicious user that knew what they were doing could break in and steal anything that was valuable on the Intranet.
ACS Kernel [set parameters]. In the "Antispam" category you can add to the lists of allowed tags and attributes. I'm not aware of an attribute to disable HTML filtering altogether.
Our users are used to copying and pasting the html source of sites under scrunity. I need to preserve this functionality.
This intranet holds some very private and low level classified information thus there is no connection between the internet and the intranet. In order to pull off a cross site attack the attacker would have to first break the virtual machine isolation.
Thanks Joel - you posted while I was typing.
I hope it is clear though that although your system is propably sufficiently protected from attackers from the outside world, these modificiations open it up to CSRF attacks from internal users, e.g. one user could steal all the private data from all the other users.
I thought that you could still invoke these cross site scripting programs by including an image tag, or providing an anchor tag that when followed, would activate the program in the context of the clicker.
diff text-html-procs.tcl text-html-procs.tcl~
< #set tagname [string tolower [string range $html [lindex $name_idx 0] [lindex $name_idx 1]]]
< set tagname "li"
> set tagname [string tolower [string range $html [lindex $name_idx 0] [lindex $name_idx 1]]]
< #set attr_name [lindex $attribute 0]
< set attr_name "href"
> set attr_name [lindex $attribute 0]