Moodle

Database module doesn't respect the $CFG->allowobjectembed config setting

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: 1.8.6, 1.9.2
  • Fix Version/s: 2.0
  • Component/s: Database activity module
  • Labels:
    None
  • Affected Branches:
    MOODLE_18_STABLE, MOODLE_19_STABLE
  • Fixed Branches:
    MOODLE_20_STABLE

Description

It seems that the database module doesn't respect the $CFG->allowobjectembed setting, and both OBJECT and EMBED tags are always cleaned.

IMO it should be respected. Ciao

Note: This bug is a split from MDL-15979

Issue Links

This issue has a non-specific relationship to:
MDL-15925 Admin account can't use EMBED tags Major Closed
MDL-15979 Allow admin to use EMBED and OBJECT but not others Minor Closed

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Petr Škoda (skodak) added a comment -

my -1,
this setting should have been removed long ago because it is a huge security hole

Show
Petr Škoda (skodak) added a comment - my -1, this setting should have been removed long ago because it is a huge security hole
Hide
Permalink
Bill Mounce added a comment -

I agree that I should be able to not allow users to use EMBED and OBJECT tags. But my issue is that Apple requires both these tags to include QuickTime properly, and for various reasons I can't use the multimedia plugins.

Another way to do this is to allow the admin user to use the two tags, and then have a permissions as to whether the user can. Is there a security risk when I embed my QT files as the admin but then not allow students to embed tags? I don't thin there is.

What I found out, after a week of inputting information, was that if I allow EMBED and OBJECT tags so I can put in the QuickTime, but then turn it off so other can't do this, then the data is cleaned upon viewing and the student can't see the QuickTime. So what I am forced to do is not allow any students to input any information on the site, which of course defeats the entire purpose of using Moodle – we want student interaction.

So I am back to my point that the admin should be able to use EMBED and OBJECT tags regardless of how this permissions is set for other roles. Please??????

Bill

Show
Bill Mounce added a comment - I agree that I should be able to not allow users to use EMBED and OBJECT tags. But my issue is that Apple requires both these tags to include QuickTime properly, and for various reasons I can't use the multimedia plugins. Another way to do this is to allow the admin user to use the two tags, and then have a permissions as to whether the user can. Is there a security risk when I embed my QT files as the admin but then not allow students to embed tags? I don't thin there is. What I found out, after a week of inputting information, was that if I allow EMBED and OBJECT tags so I can put in the QuickTime, but then turn it off so other can't do this, then the data is cleaned upon viewing and the student can't see the QuickTime. So what I am forced to do is not allow any students to input any information on the site, which of course defeats the entire purpose of using Moodle – we want student interaction. So I am back to my point that the admin should be able to use EMBED and OBJECT tags regardless of how this permissions is set for other roles. Please?????? Bill
Hide
Permalink
Petr Škoda (skodak) added a comment -

unfortunately this is not solvable in a secure way in stable branches, sorry

Show
Petr Škoda (skodak) added a comment - unfortunately this is not solvable in a secure way in stable branches, sorry
Hide
Permalink
Petr Škoda (skodak) added a comment -

The new html purifier integration should allow some forms of object and embed, but I would strongly discourage anybody from using it on production sites due to security concerns. Thanks for the report.

Petr Skoda

Show
Petr Škoda (skodak) added a comment - The new html purifier integration should allow some forms of object and embed, but I would strongly discourage anybody from using it on production sites due to security concerns. Thanks for the report. Petr Skoda

People

Vote (0)
Watch (1)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Moodle. Try JIRA - bug tracking software for your team.