The wiki/blog server in Mac OS X Server is a boon for collaboration between groups with simple needs. It provides easy posting of text, images and other files on wikis and blogs. However, it has a few drawbacks. To improve security on the blogs and wikis, Apple set up filters to allow only a limited set of simple HTML tags in the user-generated content - the rest are automatically removed. For private servers, where the users are authenticated and trusted, this is needlessly limiting. Here’s how to disable that feature.

It is very simple to do: you just need to comment out two lines of this file:

/usr/share/wikid/lib/python/apple_wlt/ContentFilters.py

Before you make any changes, create a backup copy of the file in case something goes wrong or you change your mind later. In Mac OS X Server 10.5.4, you need to comment out lines 9 and 21 of ContentFilters.py. They are the two lines that import and reference the “WhitelistContentFilter.py” file and it’s functions.

...
#import WhitelistContentFilter
...
#WhitelistContentFilter.WhitelistContentFilter(supportPath + 'whitelist.plist'),
...

The WhitelistContentFilter.py file in the same directory contains the actual default whitelist, in case you only want to add a few tags to the list. If you’re comfortable with Python, you could also edit the file to suit your whitelisting needs.

Note that the above is not the official way of managing whitelists. I would only recommend it if your blog and wiki is access controlled so that only trusted users can edit content. If your blog and/or wiki is open to public access, you create a severe security hole by disabling content filtering. Note also, that future updates from Apple may over-write these changes.

The official way to edit the “whitelist” of allowed tags is to add this file to your system: /Library/Application Support/Apple/WikiServer/whitelist.plist. You can learn more about this by searching the Apple discussion forums.

Tags: Blogs, Mac OSX Server, Wiki

This entry was posted on Wednesday, July 16th, 2008 at 12:34 pm MST and is filed under Articles, System Administration. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.