Moodle

Allow admin to use EMBED and OBJECT but not others

Details

  • Type: New Feature New Feature
  • Status: Closed Closed
  • Priority: Minor Minor
  • Resolution: Duplicate
  • Affects Version/s: 1.9.2
  • Fix Version/s: None
  • Component/s: Roles / Access
  • Labels:
    None
  • Affected Branches:
    MOODLE_19_STABLE

Description

May I recommend a new permissions: useembedandobject.

If set to yes, then selected roles could use the EMBED and OBJECT tags.

This is important because Apple's preferred way of embedding QuickTime is to use both of these tags, but I agree that for security reasons students should not be able to use them. Currently, at least in the Database module, EMBED and OBJECT tags are stripped out even if site permissions are set to allow EMBED and OBJECT tags.

Thank you.

Bill

Issue Links

This issue will help resolve:
MDL-15925 Admin account can't use EMBED tags Major Closed
This issue has been marked as being related by:
MDL-15981 Database module doesn't respect the $CFG->allowobjectembed config setting Major Closed

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Eloy Lafuente (stronk7) added a comment -

Hi Bill,

I've divided this bug in order to talk separately about:

1) The proposal of a new capability to control who can use EMBED and OBJECT tags. Sounds nice, but I'm not sure if that can be done (after thinking a bit about that, because cleaning happens at view time, not at edition time). Anyway, reassigning this to Petr.

2) About the database module, not respecting the $CFG->allowobjectembed setting, I've created MDL-15981 and assigned it to Robert.

Thanks and ciao

Show
Eloy Lafuente (stronk7) added a comment - Hi Bill, I've divided this bug in order to talk separately about: 1) The proposal of a new capability to control who can use EMBED and OBJECT tags. Sounds nice, but I'm not sure if that can be done (after thinking a bit about that, because cleaning happens at view time, not at edition time). Anyway, reassigning this to Petr. 2) About the database module, not respecting the $CFG->allowobjectembed setting, I've created MDL-15981 and assigned it to Robert. Thanks and ciao
Hide
Permalink
Petr Škoda (skodak) added a comment -

1/ Setting to allow embedding should be imo removed, because it is extremely dangerous
2/ The trust text feature was supposed to solve this, unfortunately the current implementation is really far from optimal
3/ the database module is cleaning the user submited data only, the templates can contain anything (anybody who edits them should know what is doing)

Show
Petr Škoda (skodak) added a comment - 1/ Setting to allow embedding should be imo removed, because it is extremely dangerous 2/ The trust text feature was supposed to solve this, unfortunately the current implementation is really far from optimal 3/ the database module is cleaning the user submited data only, the templates can contain anything (anybody who edits them should know what is doing)

People

Vote (0)
Watch (1)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Moodle. Try JIRA - bug tracking software for your team.