Moodle
  1. Moodle
  2. MDL-25619

Moodle can not clean content in format_text() before it is exported to a remote portfolio

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.0
    • Fix Version/s: 2.0.1
    • Component/s: Portfolio API
    • Labels:
      None
    • Affected Branches:
      MOODLE_20_STABLE
    • Fixed Branches:
      MOODLE_20_STABLE
    • Rank:
      15683

      Description

      It was discussed in MDL-23978 that cleaning features format_text() may break the content so that it can not be processed by portfolio_rewrite_pluginfile_urls(). I thought that the issue can be solved just by a correct order of these steps - format text first, rewrite URLs after.

      But now I realized that the cleaning in format_text() does other things that were not spotted before: for example it replaces spaces in URLs with %20. Therefore the URL rewrite can not find the linked file then.

      URL rewriting can not be called before HTML cleanup because HTML Purifier removes the converted <img> tags completely. And it can not be called after cleanup because URLs may be already modified by the purifier.

      This was discussed with Penny and we agreed that the ony way is to call format_text() with noclean option. This has pretty serious impacts because a malicious code can be exported into a downloaded file or an external system. But as Petr mentioned in MDL-23978, it is the target system responsibility to filter the input anyway as they can not trust any source.

        Issue Links

          Activity

            People

            • Assignee:
              David Mudrak
              Reporter:
              David Mudrak
              Tester:
              Nobody
              Participants:
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: