Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-60055

Filters converting links to embedded contents (i.e. mediaplugin) must be smarter for https sites



    • Improvement
    • Resolution: Won't Do
    • Minor
    • None
    • 3.4
    • Filters, Media


      This issue is part of the series of issues encouraging sites to migrate to SSL and make their sites secure. Loginhttps does NOT make sites secure and will be removed soon (MDL-42834)

      Using the tool added in MDL-46269 site admins can convert links to embedded content (such <img>, <video>, <audio>, <iframe>, <embed>) from http to https .

      However some filters (including standard plugin filter_mediaplugin) convert links to embedded content on-the-fly. tool_httpsreplace will not pick up these links and convert them.
      Filters have to make sure that they never create embedded content pointing to http:// on https site

      Suggested solution (please edit later if the actual solution is different):

      1. When $CFG->wwwroot has https:// and the URL in question is http://
        • if the URL can be substituted with https substitute it and proceed with normal filter behavior
        • If it can not be substituted - leave it as a link and add a CSS class to the link, something like "non_secure_resource" (please correct) . Add a rule to show red exclamation mark and maybe a help why it is not converted. Otherwise teachers will keep asking why some links are converted and some not.
      2. In other cases proceed with normal filter behavior

      This is where we might need a core API (with caching!) that checks if https://site.com is accessible similar to how tool_httpsreplace does it. We might need to change the code in tool_httpsreplace that calls curl::get_info() to use this API as well.


        Issue Links



              Unassigned Unassigned
              marina Marina Glancy
              1 Vote for this issue
              4 Start watching this issue




                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.