Current description:
By default Moodle will always thoroughly clean text that comes from users to remove any possible bad scripts, media etc that could be a security risk. The Trusted Content system is a way of giving particular users that you trust the ability to include these advanced features in their content without interference. To enable this system, you need to first enable this setting, and then grant the Trusted Content permission to a specific Moodle role. Texts created or uploaded by such users will be marked as trusted and will not be cleaned before display.
BUT - even with enabletrusttext disabled - users with a capability defined with XSS flag can upload content that is not filtered (This is not enforced in code - but is a policy devs apply when deciding if they can use the noclean option for format_text).
E.g. module intros (like a label). There is no definitive list of these places.
- has a non-specific relationship to
-
MDL-58639 Remove RISK_XSS from capabilities, instead rely on moodle/site:trustcontent
- Reopened
- has been marked as being related by
-
MDL-58639 Remove RISK_XSS from capabilities, instead rely on moodle/site:trustcontent
- Reopened
- is duplicated by
-
MDL-53903 moodle/site:trustcontent is ineffective
- Closed