Hi Paul, I definitely agree that it is a potential security risk and that people editing community and collection pages have to watch out what they are doing. However, the ability to get script tags executed on those pages makes some integrations relatively light weight.
One example are the Twitter badges you can configure via https://publish.twitter.com/ Copy paste the resulting script tag in your collection or community description and the tweets are immediately there: https://newdemo.openrepository.com/handle/2384/582855 Maybe it would make sense to allow or disallow either the entry of such code into the description fields, or the rendering, based on a repository wide on-off switch? with kindest regards, Bram [image: logo] Bram Luyten 250-B Suite 3A, Lucius Gordon Drive, West Henrietta, NY 14586 Gaston Geenslaan 14, 3001 Leuven, Belgium DSpace Express Hosting <https://www.atmire.com/dspace-express?utm_source=emailfooter&utm_medium=email&utm_campaign=braml> - Open Repository Hosting <https://www.atmire.com/open-repository?utm_source=emailfooter&utm_medium=email&utm_campaign=braml> - Custom DSpace Services <https://www.atmire.com/custom-dspace?utm_source=emailfooter&utm_medium=email&utm_campaign=braml> On Wed, 27 May 2020 at 11:17, Paul Münch <muen...@staff.uni-marburg.de> wrote: > Hello Mark, > > thanks for the reply. I checked the SimpleHTMLFragment.java, but it > isn't used in the community or collection UI. I guess that it's a XSLT > problem. > > HTML-code snippets in the community or collection description fields are > interpreted, but not on the item page. The only difference I see is that > in item-view.xsl the function xsl:value-of is used instead of > xsl:copy-of in community-view.xsl or collection-view.xsl. I update > xsl:copy-of to xsl:value-of but nothing changed. > > I like the feature it self but try to avoid users to add script-tags in > description texts. > > Kind regards, > > Paul Münch > > Am 19.05.20 um 14:56 schrieb Mark H. Wood: > > On Tue, May 19, 2020 at 08:09:07AM +0200, Paul Münch wrote: > >> unfortunately it is possible to add some executable scripts in the > description metadata of communities and collections. Even if someone don’t > plan evil things, inexperienced community or collection admins could do > some damage. > >> > >> Do you have a solution or a workaround for this? I've looked for the > code snippet which execute the HTML code but didn’t find anything. > > Have you looked at > dspace-xmlui/src/main/java/org/dspace/app/xmlui/wing/element/SimpleHTMLFragment.java? > > > > -- > All messages to this mailing list should adhere to the DuraSpace Code of > Conduct: https://duraspace.org/about/policies/code-of-conduct/ > --- > You received this message because you are subscribed to the Google Groups > "DSpace Technical Support" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to dspace-tech+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/dspace-tech/cf549c62-255b-0010-45b3-8e1a94b4c978%40staff.uni-marburg.de > . > -- All messages to this mailing list should adhere to the DuraSpace Code of Conduct: https://duraspace.org/about/policies/code-of-conduct/ --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/CACwo3X2q%2BrLP8ZPODaRLKv5cD_YMruTqMWCMEBZ2AFdJeqcg6g%40mail.gmail.com.
