Tips for Instructional Designers related to AntiSamy (what code to avoid)?
Regan, Alan
All,
Some of the instructional designers at our university are pulling their hair out. The frustration comes from the pop-up message: "Notice: Your HTML contains tags or attributes that are not permitted and have been removed from your content." It seems that the AntiSamy solution to secure the service can sometimes block tags or code that doesn't seem like a security issue. For example, it seems that some colors may be blocked, and I saw in a JIRA that one of the three possible strikethrough tags was being blocked (the S tag that the CKEditor uses). So even some tags the CKEditor may use by default could conflict with AntiSamy rules.
QUESTIONS:
· Has anyone compiled some standard AntiSamy exceptions that would help an institution allow select items that are common to good design without impacting security? (Suggestions or specific code for system administrators to consider.)
· On the other side, has anyone compiled code or options that are being correctly blocked for good reason, and instructional designers should steer clear of? (A guide for instructional designers, professors, and content creators to avoid the pop-up warning and having code stripped out of their post.)
Any guidance appreciated so my team can communicate with our school content creators and help them avoid problems.
Sincerely,
Alan Regan
Director, Client Services
Information Technology
Pepperdine University
http://community.pepperdine.edu/it
http://community.pepperdine.edu/techlearn
David Eveland
You received this message because you are subscribed to the Google Groups "Sakai Users Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sakai-user+...@apereo.org.
To post to this group, send email to sakai...@apereo.org.
Visit this group at http://groups.google.com/a/apereo.org/group/sakai-user/.
Neal Caidin
# Whether or not to append a target=_blank if there is no target attribute on anchor tags
# DEFAULT: true
# content.cleaner.add.blank.target=false
# Force the user of a lower security profile for content processing and scanning,
# if this is not overridden then high security settings are used.
# The standard high and low files are located in "kernel/sakai-kernel-impl/src/main/resources/antisamy/"
# Override the standard files by placing your own files in:
# ${sakai.home}/antisamy/high-security-policy.xml
# ${sakai.home}/antisamy/low-security-policy.xml
# DEFAULT: false (use high security - no unsafe embeds or objects)
#content.cleaner.default.low.security=true
HTH
Matthew Jones
Adam Marshall
You can configure anti samy to let certain tags and sites through the filter.
By default it really should let the standard ck edit tags through.
Adam
-- sent from my phone
Matthew Jones
Regan, Alan
Thanks, Matthew.
Related to the pop-up message and Matthew's question about the problem --
· Audience. Who should see the warning? Should people who can't do anything about the issue see a warning? In theory, whatever code isn't acceptable was stripped out, so the warning shouldn't persist after the initial save, correct? From my point of view, students (or site viewers) shouldn't see a scary warning; the warning says "Your HTML" which can be confusing as to who the "you" is. That said, someone that creates the content absolutely needs to know if they've made a mistake or something is being blocked.
· Actionable. The people who can do something about the problem need guidance on what the problem really is. It's fine and very helpful to have an "Oops!" message, but there also has to be a way to guide the content editor toward a fix for the "oops." A verbose pop-up might not be the most help (e.g. the "display" option that was mentioned in the settings). However, the next step is likely for the person to edit the content again. Just as there's an audit log in some tools, shouldn't there be a log in the editing screen to show the last set of content errors from the given tool in the given site? That seems like a logical place to provide either the verbose error display or a link to pull it up. Instructors also don't have access to system logs, so providing some level of information that could assist them fix a content problem on the editing screen seems logical to me.
· Frequency. How often should the warning be presented? I believe this may have been addressed on our Sakai instance by applying a patch so the notice doesn't persist each and every visit to the site/tool. This is especially frustrating for a site viewer, since they can't do anything and it makes it seem like the system is flawed, etc.
· Emphasis. Good question about the warning notice color scheme. Red does make it seem rather scary and important. The yellow style in the examples Matthew provided might be a good alternative format, simply to reduce the intensity factor. My original email was unrelated to the style of the warning, but it's an interesting point to consider. Thanks for sharing this, Matthew.
vs. 
Related to guidelines for instructional designers and content editors --
· What's allowed? From a security standpoint, I can see the motivation for "everything that is not specifically allowed is denied." I guess the question then is, what is allowed in the "low" and the "high" modes by default in Sakai 10+? Pointing me or an instructor to the OWASP site will not fly (no pun intended… okay, maybe a little bit) or very long XML files aren't ideal, either. Professors, instructional designers, and content creators need guidance in human terms as much as possible. Would be lovely to have a simple, alphabetized list of "allowed tags" and "allowed attributes."
o Would it be hard for someone to code a tool to parse an AntiSamy security policy XML file and spit out a nice text file with headings and bulleted list? Basically, translating some of the code into human-friendly items? For example, translate the element " [a-zA-Z0-9\-_]+" into something that professors could understand like "Letters (uppercase and lowercase), Numbers, and select special characters ("\", "-", and"_")." (I may have missed something, but that's my best guess on the fly…
o If AntiSamy regulates color names, do the color names match the colors in the CKEditor?
§ Example AntiSamy code: <regexp name="colorName" value="(aqua|black|blue|fuchsia|gray|grey|green|lime|maroon|navy|olive|purple|red|silver|teal|white|yellow)"/>
§ If color names are limited to the list above, if a professor selects the "Brown" color in the CKEditor interface, will the pop-up warning happen and the color choice stripped?
Anyway… again, my goal is to help professors and content editors understand what is allowable by default, and then an institution can make decisions about additional items to whitelist given the nature of their community.
Thanks, all, for helping think this item though.
Sincerely,
Alan Regan
Director, Client Services
Information Technology
Pepperdine University
http://community.pepperdine.edu/it
http://community.pepperdine.edu/techlearn
Matthew Jones
Thanks, Matthew.
Related to the pop-up message and Matthew's question about the problem --
· Audience. Who should see the warning? Should people who can't do anything about the issue see a warning? In theory, whatever code isn't acceptable was stripped out, so the warning shouldn't persist after the initial save, correct? From my point of view, students (or site viewers) shouldn't see a scary warning; the warning says "Your HTML" which can be confusing as to who the "you" is. That said, someone that creates the content absolutely needs to know if they've made a mistake or something is being blocked.
· Actionable. The people who can do something about the problem need guidance on what the problem really is. It's fine and very helpful to have an "Oops!" message, but there also has to be a way to guide the content editor toward a fix for the "oops." A verbose pop-up might not be the most help (e.g. the "display" option that was mentioned in the settings). However, the next step is likely for the person to edit the content again. Just as there's an audit log in some tools, shouldn't there be a log in the editing screen to show the last set of content errors from the given tool in the given site? That seems like a logical place to provide either the verbose error display or a link to pull it up. Instructors also don't have access to system logs, so providing some level of information that could assist them fix a content problem on the editing screen seems logical to me.
· Frequency. How often should the warning be presented? I believe this may have been addressed on our Sakai instance by applying a patch so the notice doesn't persist each and every visit to the site/tool. This is especially frustrating for a site viewer, since they can't do anything and it makes it seem like the system is flawed, etc.
· Emphasis. Good question about the warning notice color scheme. Red does make it seem rather scary and important. The yellow style in the examples Matthew provided might be a good alternative format, simply to reduce the intensity factor. My original email was unrelated to the style of the warning, but it's an interesting point to consider. Thanks for sharing this, Matthew.
vs.
Related to guidelines for instructional designers and content editors --
· What's allowed? From a security standpoint, I can see the motivation for "everything that is not specifically allowed is denied." I guess the question then is, what is allowed in the "low" and the "high" modes by default in Sakai 10+? Pointing me or an instructor to the OWASP site will not fly (no pun intended… okay, maybe a little bit) or very long XML files aren't ideal, either. Professors, instructional designers, and content creators need guidance in human terms as much as possible. Would be lovely to have a simple, alphabetized list of "allowed tags" and "allowed attributes."
o Would it be hard for someone to code a tool to parse an AntiSamy security policy XML file and spit out a nice text file with headings and bulleted list? Basically, translating some of the code into human-friendly items? For example, translate the element " [a-zA-Z0-9\-_]+" into something that professors could understand like "Letters (uppercase and lowercase), Numbers, and select special characters ("\", "-", and"_")." (I may have missed something, but that's my best guess on the fly…
o If AntiSamy regulates color names, do the color names match the colors in the CKEditor?
§ Example AntiSamy code: <regexp name="colorName" value="(aqua|black|blue|fuchsia|gray|grey|green|lime|maroon|navy|olive|purple|red|silver|teal|white|yellow)"/>
<regexp-list>
<regexp name="colorName"/>
<regexp name="colorCode"/>
</regexp-list>
§ If color names are limited to the list above, if a professor selects the "Brown" color in the CKEditor interface, will the pop-up warning happen and the color choice stripped?
Daniel Merino
Related to this conversation I filed a JIRA about the content which is lost when HTML is sanitized, that is the most annoying issue that AntiSamy has raised among our teachers:
https://jira.sakaiproject.org/browse/SAM-2578
Earle suggested an ideal solution for this in the comments, a JS library that sents the content to AntiSamy so feedback can be given before saving the text, though I suspect that is not an easy fix.
Hope it helps.
Best regards.
--
You received this message because you are subscribed to the Google Groups "Sakai Users Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sakai-user+...@apereo.org.
To post to this group, send email to sakai...@apereo.org.
Visit this group at http://groups.google.com/a/apereo.org/group/sakai-user/.
Daniel Merino Echeverría
daniel...@unavarra.es
Gestor de E-learning - Centro Superior de Innovación Educativa.
Tfno: 948-168489 - Universidad Pública de Navarra.