Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-20080

Ability to install and use input filters

    Details

    • Type: New Feature
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 1.9.5
    • Fix Version/s: None
    • Component/s: Filters, Libraries
    • Labels:
      None
    • Environment:
      This affects all areas where user textual input is possible.
    • Database:
      Any
    • Difficulty:
      Easy
    • Affected Branches:
      MOODLE_19_STABLE

      Description

      Moodle has a well-established framework which allows for the installation of pluggable and configurable output content filters. One prominent example are the Math content filters, used to render visual representations of formulas written, for instance, in the TeX or LaTeX language.

      Depending on how a particular content is processed by a filter, potential security issues may arise. For instance, without the required attention, a user may type a well-crafted sequence of LaTeX commands to be processed by the LaTeX filter which will reveal the contents of a protected of hidden file, or even alter the contents of such a file. On the other hand, simply banning all such commands prevents the teacher from using important and sometimes essential LaTeX constructs.

      Using just output filters it is impossible to solve this issue, because the output filter cannot precisely determine what are the rights of the content author. Furthermore, one single page, like a forum discussion, may show content which was produced by a teacher and also content which was input by a student.

      Our patch proposes to solve this issue by allowing moodle to filter input based on the rights of the individual who is providing the input. In fact, we are not proposing a new filter framework, but just allowing a filter.php file to also provide a function named filtername_input_filter. The main changes caused by this patch is to certify that places where user input is acquired make sure that the input filter chain gets called, thus filtering user input.

      Our new filter LatexRender-ng available at latexrender-ng.sourceforge.net is an example of such a filter. It replaces the old LatexRender filter with many moore new features, including the input filtering. Thus a teacher can use the full power of LaTeX while a student or other less authorized user will not be able to abuse it.

      It is possible that this solution is still incomplete. The author will be glad to know whether he can contribute any further and hopes that his contribution will be evaluated.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Votes:
                1 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated: