-
Improvement
-
Resolution: Fixed
-
Minor
-
None
-
3.1.11, 3.1.12, 3.1.13, 3.2.8, 3.2.9, 3.3.5, 3.3.6, 3.3.7, 3.4.2, 3.4.3, 3.4.4, 3.5, 3.5.1
-
MOODLE_31_STABLE, MOODLE_32_STABLE, MOODLE_33_STABLE, MOODLE_34_STABLE, MOODLE_35_STABLE
Because recordings are resources that are external to Moodle, same as before, they should be displayed in a new tab when accessing them.
The problem right now is that as the clicks on the recording are triggering a BIGBLUEBUTTON_EVENT_RECORDING_VIEWED event, there is a redirect from the server.
As the click uses a generic ajax request applied to all the links/buttons used for recordings, the redirect is considered as XSS.