Details
-
Type:
Bug
-
Status:
Open
-
Priority:
Minor
-
Resolution: Unresolved
-
Affects Version/s: 1.9
-
Fix Version/s: 2.0.8
-
Component/s: Assignment
-
Labels:None
-
Database:MySQL
-
Affected Branches:MOODLE_19_STABLE
-
Fixed Branches:MOODLE_20_STABLE
Description
Problem description:
Both student submission and teacher response are saved into the database correctly. So the HTML typed inside the html editor is stored straight into the database.
On the other hand, when this submission is shown it is printed by the text_format php function. The problem is that the HTML_FORMAT filter cleans the styles saved in the database(clean_text php function)
Possible Solution:
/*
- Teacher´s feedback
* - file=/lib/gradelib.php:450-452
*/
450 $options = new stdClass;
451 $options->noclean = true;
452 $grade->str_feedback = format_text($grade->feedback, $grade->feedbackformat,$options);
/*
- Student´s submission
* - file=/mod/assignment/type/online/assignment.class.php:104-106
*/
104 $options = new stdClass;
105 $options->noclean = true;
106 $grade->str_feedback = format_text($grade->feedback, $grade->feedbackformat,$options);
I´m not that sure how these modifications could affect to the moodle style page and if there is a posibility of malicious code injection through showing RAW html.
Issue Links
Activity
- All
- Comments
- History
- Activity
- Source
- Test Sessions
Hello,
all student submitted texts MUST be cleaned, it is not possible to use noclean = true there.
The problem is in KSES cleaning library - it does nto understand CSS attributes at all, the aging workaround was to add css attributes into allowed protocols list. Since 1.9 it is possible to use HTML purifier instead (though there are still some unsolved problems there). In 2.0 we should finally stop using KSES as default option and there will be something else (probably HTML Purifier).
Petr