Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-47658

Description of enabletrusttext is misleading

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 2.7.2
    • Fix Version/s: BACKEND
    • Component/s: Language
    • Labels:
    • Affected Branches:
      MOODLE_27_STABLE

      Description

      Current description:

      By default Moodle will always thoroughly clean text that comes from users to remove any possible bad scripts, media etc that could be a security risk. The Trusted Content system is a way of giving particular users that you trust the ability to include these advanced features in their content without interference. To enable this system, you need to first enable this setting, and then grant the Trusted Content permission to a specific Moodle role. Texts created or uploaded by such users will be marked as trusted and will not be cleaned before display.

      BUT - even with enabletrusttext disabled - users with a capability defined with XSS flag can upload content that is not filtered (This is not enforced in code - but is a policy devs apply when deciding if they can use the noclean option for format_text).

      E.g. module intros (like a label). There is no definitive list of these places.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                4 Vote for this issue
                Watchers:
                10 Start watching this issue

                Dates

                • Created:
                  Updated: