Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-47658

Description of enabletrusttext is misleading

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • BACKEND
    • 2.7.2, 4.0.5
    • Language
    • MOODLE_27_STABLE, MOODLE_400_STABLE

      Current description:

      By default Moodle will always thoroughly clean text that comes from users to remove any possible bad scripts, media etc that could be a security risk. The Trusted Content system is a way of giving particular users that you trust the ability to include these advanced features in their content without interference. To enable this system, you need to first enable this setting, and then grant the Trusted Content permission to a specific Moodle role. Texts created or uploaded by such users will be marked as trusted and will not be cleaned before display.

      BUT - even with enabletrusttext disabled - users with a capability defined with XSS flag can upload content that is not filtered (This is not enforced in code - but is a policy devs apply when deciding if they can use the noclean option for format_text).

      E.g. module intros (like a label). There is no definitive list of these places.

            Unassigned Unassigned
            damyon Damyon Wiese
            Votes:
            5 Vote for this issue
            Watchers:
            12 Start watching this issue

              Created:
              Updated:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.