← Back to team overview

mahara-contributors team mailing list archive

  1. mahara-contributors team
  2. Mailing list archive
  3. Message #13055

[Bug 1213994] Re: Additional HTML is useless if it passes through clean_html()

  Thread PreviousDate PreviousThread Next 
Here are my thoughts on the subject:

1. An "Additional HTML" feature of some sort, is a feature we should
definitely have, because it's so useful for setting up web analytics.
(Users could sorta hack their way to this solution by altering the
themes, or by overriding templates under /local/theme/templates, but
that solution is no good if you have multiple themes)

2. This feature is only useful if it is absolutely unfiltered HTML. It
needs to be able to include Javascript and other tags, because that's
what web analytic snippets use.

3. In keeping with the security standard we've arrived at since
https://bugs.launchpad.net/mahara/+bug/1057238, we assume that the
Mahara admin account is relatively easy to hack into, so we should be
careful about putting anything there that would allow an attacker to do
damage beyond just wrecking the Mahara site. In this case, uploading
arbitrary HTML and JS to every page definitely falls into that category,
so we can't make it accessible via the web UI.

4. So the question remains, what interface do we use instead? I'm
actually in favor of the filesystem. I'd like to see a system where you
place a file in the /local directory, and the contents of that are used
to display the additional HTML in the appropriate places. I thought that
the existing additional HTML code, since it puts hooks into the page
templates at the appropriate places, would be a good starting point for
that.

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contrib members
https://bugs.launchpad.net/bugs/1213994

Title:
  Additional HTML is useless if it passes through clean_html()

Status in Mahara ePortfolio:
  Confirmed

Bug description:
  See parent bug: https://bugs.launchpad.net/mahara/+bug/1073625

  I have got an email request explaining the problem:

  "...But the problem is when I add a sample reference to Additional
  HTML (Within HEAD), e.g.

  <link href="some.css" type="text/css" rel="stylesheet">
  it doesn't show inside HEAD element at all. Do you have an idea what to do  to make it show inside HEAD element?"

  It seems that clean_html parsing applied to Additional HTML removes
  type of content similar to above. And actually make the Additional
  HTML feature useless, as it seems ignore everything apart of very
  simple html.  I suggest not to do clean_html for this kind of output.
  The reason is the feature is used by site admins only and simply makes
  easier to add extra content without modifying the theme code. I think
  site admin should take all responsibility for the content as it is the
  same as adding it directly to theme code itself. BTW, similar feature
  in Moodle does not apply clean html parsing to output as well.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1213994/+subscriptions

References

  Thread PreviousDate PreviousThread Next