Affects Version/s: 3.3
Fix Version/s: None
Component/s: Roles / Access
Epic Name:Remove RISK_XSS from capabilities
I have been closing lots of security reports about users being able to inject XSS referring them to:
Each text field ('editor' form element) should have three fields in the database and not usual two, for example:
Editor options should include:
(Editor options are passed to the form element 'editor' and also to file_prepare_standard_editor() and file_save_draft_area_files())
This way users with capability 'moodle/site:trustcontent' in the current context will be able to insert JS and users without this capability will not.
BEFORE storing the text into the database clean it for users that do not have 'moodle/site:trustcontent' in the current context. (See also discussion below)
Please create issues in this epic for individual capabilities that you want to see refactored and we will work on them one by one. Please vote on issues so we can see which capabilities should be converted first.