Moodle

Admin account can't use EMBED tags

Details

  • Type: New Feature New Feature
  • Status: Closed Closed
  • Priority: Major Major
  • Resolution: Won't Fix
  • Affects Version/s: 1.9.2
  • Fix Version/s: None
  • Component/s: Database activity module
  • Labels:
    None
  • Database:
    MySQL
  • Affected Branches:
    MOODLE_19_STABLE

Description

I have the preferences set to NOT allow the EMBED tag, but I would think that the ADMIN account should still be able to use EMBED (and OBJECT) tags. It is this way in the Lesson activity.

The bug (or feature?) is to allow ADMIN accounts to input EMBED and OBJECT tags inside a database record even if the preferences deny the right for a student. My immediate need is to embed QuickTime, and their preferred way is to use both these tags.

Issue Links

This issue will be resolved by:
MDL-15979 Allow admin to use EMBED and OBJECT but not others Minor Closed
This issue has been marked as being related by:
MDL-15981 Database module doesn't respect the $CFG->allowobjectembed config setting Major Closed

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Eloy Lafuente (stronk7) added a comment -

Assigning this to Petr... and adding Robert... to know about. Ciao

Show
Eloy Lafuente (stronk7) added a comment - Assigning this to Petr... and adding Robert... to know about. Ciao
Hide
Permalink
Petr Škoda (skodak) added a comment -

Allowing embed and javascript in general is always tricky. The "trusttext" feature was supposed to solve this, but unfortunately the code is very fragile and I do not like it at all. In theory it should be possible to use the text cleaning selectively but the required chagnes are not trivial.

Show
Petr Škoda (skodak) added a comment - Allowing embed and javascript in general is always tricky. The "trusttext" feature was supposed to solve this, but unfortunately the code is very fragile and I do not like it at all. In theory it should be possible to use the text cleaning selectively but the required chagnes are not trivial.
Hide
Permalink
Eloy Lafuente (stronk7) added a comment -

There is one follow up of this bug here: MDL-15979

Ciao

Show
Eloy Lafuente (stronk7) added a comment - There is one follow up of this bug here: MDL-15979 Ciao
Hide
Permalink
Petr Škoda (skodak) added a comment -

I am sorry, our security module does not allow this. The problem is that we must be cleaning the rusts before display of text, but at that time we may not always have information who entered the text. In places where only teachers are allowed to post we skip the cleaning and you can use any HTML, in places where only students post no JS or embedding is allow. There are some mixed places where we use the trusttext to track the origin of the HTML.

Petr Skoda

Show
Petr Škoda (skodak) added a comment - I am sorry, our security module does not allow this. The problem is that we must be cleaning the rusts before display of text, but at that time we may not always have information who entered the text. In places where only teachers are allowed to post we skip the cleaning and you can use any HTML, in places where only students post no JS or embedding is allow. There are some mixed places where we use the trusttext to track the origin of the HTML. Petr Skoda

People

Vote (1)
Watch (2)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Moodle. Try JIRA - bug tracking software for your team.