Moodle
  1. Moodle
  2. MDL-37593

TinyMCE HTML editor fails to load in Chrome on edit profile page due to https

    Details

    • Rank:
      47254

      Description

      When editing user's profile with "HTTPS security" enabled, the TinyMCE editor javascript is linked with plain http link.
      That is a problem for the default display behavior in Chrome as it ignores non-https links in ssl secured pages and only shows small shield icon in url bar and that can be easily overlooked.
      This might also be a security issue in other browsers as non-secured javascript can change any part of the secured page and/or steal user data.

      Tested with 2.4.1 and https://github.com/rajeshtaneja/moodle/compare/MOODLE_24_STABLE...wip-mdl-36674-m24 patch which actually enables profile editing with "https security" enabled.

        Issue Links

          Activity

          Hide
          Rajesh Taneja added a comment - - edited

          Thanks for reporting this, Pavel

          I am assigning this to Petr, as he is the best person to handle this issue.

          Show
          Rajesh Taneja added a comment - - edited Thanks for reporting this, Pavel I am assigning this to Petr, as he is the best person to handle this issue.
          Hide
          Petr Škoda added a comment -

          Thanks for the report.

          To integrators: 2.3 is not included intentionally because it is using different code and should not have this problem.

          Show
          Petr Škoda added a comment - Thanks for the report. To integrators: 2.3 is not included intentionally because it is using different code and should not have this problem.
          Hide
          Dan Poltawski added a comment -

          Integrated, thanks Petr.

          Show
          Dan Poltawski added a comment - Integrated, thanks Petr.
          Hide
          Jason Fowler added a comment -

          Works Fine now Petr, thanks for that

          Show
          Jason Fowler added a comment - Works Fine now Petr, thanks for that
          Hide
          Eloy Lafuente (stronk7) added a comment -

          Surely you will be happy to know that your code is now part of Moodle upstream. Thanks, thanks!

          Closing as fixed, ciao

          Show
          Eloy Lafuente (stronk7) added a comment - Surely you will be happy to know that your code is now part of Moodle upstream. Thanks, thanks! Closing as fixed, ciao
          Hide
          Petr Škoda added a comment -

          Removing security flag because only full https on all pages is now considered secure.

          Show
          Petr Škoda added a comment - Removing security flag because only full https on all pages is now considered secure.

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: