← Back to team overview

mahara-contributors team mailing list archive

  1. mahara-contributors team
  2. Mailing list archive
  3. Message #33433

[Bug 1558830] [NEW] Set "URI.DefinitionID" and "URI.DefinitionRev" in HTMLPurifier

  Thread PreviousDate PreviousThread Next 
Public bug reported:

While working on https://bugs.launchpad.net/mahara/+bug/1558387, Robert
pointed out to me that we don't set URI.DefinitionRev. We also don't set
URI.DefinitionID. Although the HTMLPurifier docs say that
URI.DefinitionID is required if you have custom URIFilters (and our
allowed iframe list is a custom URIFilter), it looks like the fallback
behavior is that it generates a URI.DefinitionID based on a hash of the
config. This has the effect that a new "Revision 1" URI config file is
generated each time the allowed iframes list changes. It also results in
an accumulation of old URI cache files in the dataroot/htmlpurifier
directory, since they're all Revision 1, and all have different IDs.

I think the best approach here is to give the URI.DefinitionRev its own
revision number, stored in the database, and increment it every time we
change the allowed iframe list.

** Affects: mahara
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1558830

Title:
  Set "URI.DefinitionID" and "URI.DefinitionRev" in HTMLPurifier

Status in Mahara:
  New

Bug description:
  While working on https://bugs.launchpad.net/mahara/+bug/1558387,
  Robert pointed out to me that we don't set URI.DefinitionRev. We also
  don't set URI.DefinitionID. Although the HTMLPurifier docs say that
  URI.DefinitionID is required if you have custom URIFilters (and our
  allowed iframe list is a custom URIFilter), it looks like the fallback
  behavior is that it generates a URI.DefinitionID based on a hash of
  the config. This has the effect that a new "Revision 1" URI config
  file is generated each time the allowed iframes list changes. It also
  results in an accumulation of old URI cache files in the
  dataroot/htmlpurifier directory, since they're all Revision 1, and all
  have different IDs.

  I think the best approach here is to give the URI.DefinitionRev its
  own revision number, stored in the database, and increment it every
  time we change the allowed iframe list.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1558830/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next