Moodle
  1. Moodle
  2. MDL-32316

In Feedback. Item type 'label' does not honor 'trusted text' ($CFG->enabletrusttext)

    Details

    • Testing Instructions:
      Hide
      1. enable trusted text
      2. create a feedback instance
      3. create a new label item and use text what is cleaned by default such like javascript or so.

      The javascript should be executed while printing the label.
      If the trusted text is not enabled so the script should be filtered.

      Show
      enable trusted text create a feedback instance create a new label item and use text what is cleaned by default such like javascript or so. The javascript should be executed while printing the label. If the trusted text is not enabled so the script should be filtered.
    • Affected Branches:
      MOODLE_22_STABLE
    • Fixed Branches:
      MOODLE_21_STABLE, MOODLE_22_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      MDL-32316_master_wip
    • Rank:
      39125

      Description

      In the edit form for the label feedback item (mod/feedback/item/label/label_form.php). The type for the html editor form element is set to PARAM_CLEANHTML. This is wrong. It should be PARAM_RAW. The cleaning of the html editor text is all done in the html editor libraries.

      As it stands, it breaks the $CFG->enabletrusttext setting - setting that doesn't do anything in this case.

      Additionally, at the end of the print_item() function in mod/feedback/item/label/lib.php the echo format_text(..) line is now wrong. I think it should read

      echo format_text($output, FORMAT_HTML, array('overflowdiv'=>true, 'trusted'=>$CFG->enabletrusttext ));

        Activity

        Howard Miller created issue -
        Howard Miller made changes -
        Field Original Value New Value
        Priority Minor [ 4 ] Major [ 3 ]
        Labels partner
        Howard Miller made changes -
        Description In the edit form for the label feedback item (mod/feedback/item/label/label_form.php). The type for the html editor form element is set to PARAM_CLEANHTML. This is wrong. It should be PARAM_RAW. The cleaning of the html editor text is all done in the html editor libraries.

        As it stands, it breaks the $CFG->enabletrusttext setting - setting that doesn't do anything in this case.
        In the edit form for the label feedback item (mod/feedback/item/label/label_form.php). The type for the html editor form element is set to PARAM_CLEANHTML. This is wrong. It should be PARAM_RAW. The cleaning of the html editor text is all done in the html editor libraries.

        As it stands, it breaks the $CFG->enabletrusttext setting - setting that doesn't do anything in this case.

        Additionally, at the end of the print_item() function in mod/feedback/item/label/lib.php the echo format_text(..) line is now wrong. I think it should read

            echo format_text($output, FORMAT_HTML, array('overflowdiv'=>true, 'trusted'=>$CFG->enabletrusttext ));
        Howard Miller made changes -
        Summary In Feedback. Item type 'label' has wrong PARAM_ type for html editor. In Feedback. Item type 'label' does not honor 'trusted text' ($CFG->enabletrusttext)
        Andreas Grabs made changes -
        Status Open [ 1 ] Development in progress [ 3 ]
        Andreas Grabs made changes -
        Status Development in progress [ 3 ] Waiting for integration review [ 10010 ]
        Pull Master Diff URL https://github.com/grabs/moodle/compare/master...MDL-32316_master_wip
        Pull Master Branch MDL-32316_master_wip
        Pull from Repository git://github.com/grabs/moodle.git
        Fix Version/s 2.1.6 [ 12052 ]
        Fix Version/s 2.2.3 [ 12053 ]
        Fix Version/s 2.3 [ 10657 ]
        Testing Instructions # enable trusted text
        # create a feedback instance
        # create a new label item and use text what is cleaned by default such like javascript or so.

        The javascript should be executed while printing the label.
        If the trusted text is not enabled so the script should be filtered.
        Pull 2.1 Branch MDL-32316_21_wip
        Pull 2.2 Diff URL https://github.com/grabs/moodle/compare/MOODLE_22_STABLE...MDL-32316_22_wip
        Pull 2.1 Diff URL https://github.com/grabs/moodle/compare/MOODLE_21_STABLE...MDL-32316_21_wip
        Pull 2.2 Branch MDL-32316_22_wip
        Sam Hemelryk made changes -
        Currently in integration Yes [ 10041 ]
        Sam Hemelryk made changes -
        Status Waiting for integration review [ 10010 ] Integration review in progress [ 10004 ]
        Integrator samhemelryk
        Sam Hemelryk made changes -
        Status Integration review in progress [ 10004 ] Waiting for testing [ 10005 ]
        Fix Version/s 2.3 [ 10657 ]
        Michael de Raadt made changes -
        Labels partner partner triaged
        Michael de Raadt made changes -
        Tester rwijaya
        Rossiani Wijaya made changes -
        Status Waiting for testing [ 10005 ] Testing in progress [ 10011 ]
        Rossiani Wijaya made changes -
        Status Testing in progress [ 10011 ] Tested [ 10006 ]
        Dan Poltawski made changes -
        Status Tested [ 10006 ] Closed [ 6 ]
        Resolution Fixed [ 1 ]
        Currently in integration Yes [ 10041 ]
        Dan Poltawski made changes -
        Integration date 19/Apr/12

          People

          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: