Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-37593

TinyMCE HTML editor fails to load in Chrome on edit profile page due to https

    Details

      Description

      When editing user's profile with "HTTPS security" enabled, the TinyMCE editor javascript is linked with plain http link.
      That is a problem for the default display behavior in Chrome as it ignores non-https links in ssl secured pages and only shows small shield icon in url bar and that can be easily overlooked.
      This might also be a security issue in other browsers as non-secured javascript can change any part of the secured page and/or steal user data.

      Tested with 2.4.1 and https://github.com/rajeshtaneja/moodle/compare/MOODLE_24_STABLE...wip-mdl-36674-m24 patch which actually enables profile editing with "https security" enabled.

        Gliffy Diagrams

          Issue Links

            Activity

            Hide
            rajeshtaneja Rajesh Taneja added a comment - - edited

            Thanks for reporting this, Pavel

            I am assigning this to Petr, as he is the best person to handle this issue.

            Show
            rajeshtaneja Rajesh Taneja added a comment - - edited Thanks for reporting this, Pavel I am assigning this to Petr, as he is the best person to handle this issue.
            Hide
            skodak Petr Skoda added a comment -

            Thanks for the report.

            To integrators: 2.3 is not included intentionally because it is using different code and should not have this problem.

            Show
            skodak Petr Skoda added a comment - Thanks for the report. To integrators: 2.3 is not included intentionally because it is using different code and should not have this problem.
            Hide
            poltawski Dan Poltawski added a comment -

            Integrated, thanks Petr.

            Show
            poltawski Dan Poltawski added a comment - Integrated, thanks Petr.
            Hide
            phalacee Jason Fowler added a comment -

            Works Fine now Petr, thanks for that

            Show
            phalacee Jason Fowler added a comment - Works Fine now Petr, thanks for that
            Hide
            stronk7 Eloy Lafuente (stronk7) added a comment -

            Surely you will be happy to know that your code is now part of Moodle upstream. Thanks, thanks!

            Closing as fixed, ciao

            Show
            stronk7 Eloy Lafuente (stronk7) added a comment - Surely you will be happy to know that your code is now part of Moodle upstream. Thanks, thanks! Closing as fixed, ciao
            Hide
            skodak Petr Skoda added a comment -

            Removing security flag because only full https on all pages is now considered secure.

            Show
            skodak Petr Skoda added a comment - Removing security flag because only full https on all pages is now considered secure.

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  11/Mar/13