-
Improvement
-
Resolution: Won't Fix
-
Minor
-
None
-
3.2.4, 3.3, Future Dev
-
MOODLE_32_STABLE, MOODLE_33_STABLE
-
MDL-59997_master -
-
Currently Moodle strips data encoded images in certain places like glossary and forums, etc. An example shown here:
<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAB8AAAAzCAYAAABvwNN0AAAC5klEQVRYR+2Z/ZFNQRDFz0aACNgIEAEiYCNABIgAESACNgJEgAgQASJABNRv686tuT1nvnbf2/1np+rVvnp3pk9P9+m+3b0HusB10MB+IOmVpBuNPX8kfZb0Zvk7dZUa+C1JnyRdnZCGEs8kfRs9UwN/J+nhqJBs309Jh6PnHDi3/T0qwOzDFSj/UhLfq8uBP5L09gzg6Sjmv9dSwIE7k0Oop0YhSMnvdyrKHkviMnY5cEweicYNIFRt4evrlYdwgOfFiuCw/OvAvrjlrqTXkm6as9XbR3BMSGzn64skhI8sxxdIx+0L8kVw529Y+2IEeXEXJr4S9j9eImDzcwT/YTJaz99RL3eBj5IgZxW8Ft+tFOwMgovIjnFdi6bPBaPZ+3DiuyRIOLvwbzT9kaQPuaAcHL8+Dyi1+O4p40xfsD4HJ45jsrBE6SEv/o1WLPJ+Dr4LsiW9avzZJJwc/J+50SzZchHk9ph0NpZMwh1Df3UKiZ71uxxK4I7pM5nNKeJkYo3baXMCd1rOZDYH3s0b+wRHIRfv3Pyk1ErgLsyKpNBzsnnelNsCn83pTjdes0/Cg9Wd+wZvMj6BuwSz+uYU5k5HXAivUZTAd51gLsEvzZ5ztiCcewOdG9tdJtpFkmm+sC4iyZxbhqNgvB+SFD08aXd9sbiCb910hgzXLM32+UplnAJ4XGtplr64Hs12GRNWcH3bpg9o1XCbkmcCNG11/t70AQm8VvIULc6gEjV5m/DNS+NuqTsIzDbnxqIazsFd1TE1XcqUcywvWq8cvDaVmA252kCpGI/EjsSlWS402rPha24dZzrd/hyQWm/NM9zSm63RHBZDgGUkVgyUXC/mfJ9zjRCCnEkYsUtPBskc8PBAKIHUzD9B+JOtf5d+z04ia10oPsMCp5m/5go2G49eC4wpqb3jiGPEAl2S9sABwQoowWdECUxNuG3mL07bEfD8HLmAiOBv+icAoxRIR0ICkE9z2pwE/gdRe7k0pLUckAAAAABJRU5ErkJggg==" /> |
Some browsers use data encoded images when copy/pasting images, and dragging and dropping images. Some plugins also use data encoded images.
I have selected "Could be a security issue" so that someone on the security team could review the allowing of the following and any security issues it might cause. (I don't believe there are any)
Proposed change would allow the following data: in img tags and possibly other tags.
'image/jpeg'
'image/gif'
'image/png'