mahara-contributors team mailing list archive

Thread
Date

[Bug 1073625] Re: Add additional html interface

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Aaron Wells <1073625@xxxxxxxxxxxxxxxxxx>
Date: Thu, 01 Aug 2013 02:01:22 -0000
Reply-to: Bug 1073625 <1073625@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

I hate to reopen this ticket after it's been through so much code review
and been accepted and it has such a great, polished UI. :(

However, I've noticed that it no longer actually works for the proposed
purpose, of allowing the admin user to set up Google analytics. The
reason for this, is because it passes the HTML through the clean_html
function, and that strips out Javascript from it, and the modern Google
analytics snippet is just Javascript:
https://developers.google.com/analytics/devguides/collection/gajs/asyncTracking

I think this gets at a fundamental difficulty with this issue:

1. If we filter the HTML, then it prevents this feature from doing what
it's really meant to do.

2. BUT if we don't filter the HTML, we provide a very easy path for
someone who compromises an admin account, or finds a SQL injection that
lets them do inserts or updates to arbitrary tables, to escalate that
into pwning all visitors to the site. (i.e. they can put some JS on
every page that redirects to wherever they want; or put some JS that
forwards login information to an outside site)

So, I think we probably should scrap this feature, since with
clean_html() it's not useful, and without clean_html() it's not safe.

I think an easier and safer way to achieve what we want would be to
create some blank HTML files in, say, /local/additionalhtml/head.html,
etc, and include those in every page. Then the site admin can just
modify those in order to change what shows up on the page. This would be
consistent with our security approach of assuming that filesystem access
is more difficult for an attacker to achieve than login or database
access.

It's also true that users could achieve this already, by editing the
right template file. But I think the template directory structure is
probably intimidating for new users, so it would make sense to add an
easy API for them to do the very common task of adding a Google
Analytics or other page tracking cookie.

Cheers,
Aaron

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contrib members
https://bugs.launchpad.net/bugs/1073625

Title:
  Add additional html interface

Status in Mahara ePortfolio:
  In Progress

Bug description:
  We need something similar to Moodle
  .../admin/settings.php?section=additionalhtml, so that if people need
  to add, say google analytics code, there would not be required to
  modify theme template.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1073625/+subscriptions

References

[Bug 1073625] [NEW] Add additional html interface
From: Ruslan Kabalin, 2012-10-31