Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-54883

Comments should not allow to type any HTML

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 3.1, 3.4.2
    • Fix Version/s: None
    • Component/s: Comments
    • Labels:
    • Affected Branches:
      MOODLE_31_STABLE, MOODLE_34_STABLE

      Description

      The comments API allows to put HTML formatted comments. Even though It is properly sanitised from embedded javascript and nasty formatting (such as position:fixed styles etc), it can be still abused for social engineering tricks.

      Many users are not even aware that HTML can be used there as they can't see any editor at the first place. I don't think the solution is to add the editor (as requested in MDL-24598). I believe the comments should behave much like facebook - plain text messages with support for sharing images and links, but in a controlled manner and not via raw HTML.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                1 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated: