Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-37593

TinyMCE HTML editor fails to load in Chrome on edit profile page due to https

    Details

      Description

      When editing user's profile with "HTTPS security" enabled, the TinyMCE editor javascript is linked with plain http link.
      That is a problem for the default display behavior in Chrome as it ignores non-https links in ssl secured pages and only shows small shield icon in url bar and that can be easily overlooked.
      This might also be a security issue in other browsers as non-secured javascript can change any part of the secured page and/or steal user data.

      Tested with 2.4.1 and https://github.com/rajeshtaneja/moodle/compare/MOODLE_24_STABLE...wip-mdl-36674-m24 patch which actually enables profile editing with "https security" enabled.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

              Hide
              rajeshtaneja Rajesh Taneja added a comment - - edited

              Thanks for reporting this, Pavel

              I am assigning this to Petr, as he is the best person to handle this issue.

              Show
              rajeshtaneja Rajesh Taneja added a comment - - edited Thanks for reporting this, Pavel I am assigning this to Petr, as he is the best person to handle this issue.
              Hide
              skodak Petr Skoda added a comment -

              Thanks for the report.

              To integrators: 2.3 is not included intentionally because it is using different code and should not have this problem.

              Show
              skodak Petr Skoda added a comment - Thanks for the report. To integrators: 2.3 is not included intentionally because it is using different code and should not have this problem.
              Hide
              poltawski Dan Poltawski added a comment -

              Integrated, thanks Petr.

              Show
              poltawski Dan Poltawski added a comment - Integrated, thanks Petr.
              Hide
              phalacee Jason Fowler added a comment -

              Works Fine now Petr, thanks for that

              Show
              phalacee Jason Fowler added a comment - Works Fine now Petr, thanks for that
              Hide
              stronk7 Eloy Lafuente (stronk7) added a comment -

              Surely you will be happy to know that your code is now part of Moodle upstream. Thanks, thanks!

              Closing as fixed, ciao

              Show
              stronk7 Eloy Lafuente (stronk7) added a comment - Surely you will be happy to know that your code is now part of Moodle upstream. Thanks, thanks! Closing as fixed, ciao
              Hide
              skodak Petr Skoda added a comment -

              Removing security flag because only full https on all pages is now considered secure.

              Show
              skodak Petr Skoda added a comment - Removing security flag because only full https on all pages is now considered secure.

                People

                • Votes:
                  0 Vote for this issue
                  Watchers:
                  4 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:
                    Fix Release Date:
                    11/Mar/13