Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-65015

Clean HTML in messages

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.6
    • Fix Version/s: 3.7
    • Component/s: Messages
    • Testing Instructions:
      Hide

      Setup

      1. Log in as an admin
      2. Create three new users: t1, s1 and s2.
      3. Create a new course and enrol the new users:
        1. t1 as a teacher
        2. s1 and s2 as student
      4. Create a group with these three users and turn on the setting 'Group messaging' and named GroupTest.

      Tests

      Tests without trusttext

      1. Log in as "t1".
      2. As an "t1" send a message to GroupTest with this content: 

        Test Video
        <iframe width="560" height="315" src="https://www.youtube.com/embed/vUgjNhTUrBY" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>

      3. EXPECTED RESULT: Confirm that you cannot see the youtube video on the message and only you can see "Test Video" text.
      4. Go to Group info and select "s1" user.
      5. Send a message to "s1" user with the same content.
      6. Log in as s1.
      7. Go to GroupTest on messaging.
      8. EXPECTED RESULT: Confirm that you cannot see the youtube video on the message and only you can see "Test Video" text.
      9. Go to Private messaging and go to the conversation with "t1".
      10. EXPECTED RESULT: Confirm that you cannot see the youtube video on the message and only you can see "Test Video" text.
      11. As "s1" send a message to "t1" with this content: <b>Test bold </b>
      12. EXPECTED RESULT: Confirm that you can see the message in bold.

      Tests with trusttext enabled

      1. Log in as an admin.
      2. Go to Site administration > Security > Site security settings and enable "Enable trusted content" (enabletrusttext).
      3.  Go to Site administration > Users > Permissions > Define Roles to edit Teacher role and check if moodle/site:trustcontent capability (Trust submitted content) is Allow. If not, check to Allow and save.
      4. Log in as "t1".
      5. As an "t1" send a message to GroupTest with this content: 

        Test Video
        <iframe width="560" height="315" src="https://www.youtube.com/embed/vUgjNhTUrBY" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>

      6. EXPECTED RESULT: Confirm that you can see the youtube video on the message and  "Test Video" text.
      7. Go to Group info and select "s2" and send a message with the same content.
      8. EXPECTED RESULT: Confirm that you cannot see the youtube video on the message and only you can see "Test Video" text.
      9. Log in as an admin.
      10. Send a private message to "s2" with the same content.
      11. EXPECTED RESULT: Confirm that you can see the youtube video on the message and  "Test Video" text.
      12. Log in as "s1".
      13. Go to GroupTest on messaging.
      14. EXPECTED RESULT: Confirm that you can see the youtube video on the message and  "Test Video" text.
      15. Log in as "s2".
      16. Go to GroupTest on messaging.
      17. EXPECTED RESULT: Confirm that you can see the youtube video on the message and  "Test Video" text.
      18. Go to Private conversation with "t1".
      19. Send a message to "t1" with the same content.
      20. EXPECTED RESULT: Confirm that you cannot see the youtube video on the message and only you can see "Test Video" text.
      21. As "s2" send a message to "t1" with this content: <b>Test bold </b>
      22. EXPECTED RESULT: Confirm that you can see the message in bold.
      Tests Bulk user actions with trusttext enabled
      1. Log in as an admin.
      2. Go to preferences and select "Atto HTML editor" as Texg editor in Editor preferences.
      3. Go to Site administration > Users > Accounts > Bulk user actions
      4. Select s1 and s2 from "User in list ..." and Add to selection.
      5. In "With selected users... " choose "Send a message" and click in Go.
      6. Use </> button in the Atto toolbar (it could be in a collapse toolbar).
      7. Paste this content and Save changes and confirm to send: 

        Test Video
        <iframe width="560" height="315" src="https://www.youtube.com/embed/vUgjNhTUrBY" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>

      8. EXPECTED RESULT: Go to private messaging to "s1" and "s2" and confirm that you can see the youtube video on the message and  "Test Video" text.
      Tests send a message from Participants list with trusttext enabled
      1. Log in as an "t1".
      2. Go to the new course.
      3. Go to Participants page on the course.
      4. Select s1 and s2 and in "With selected users..." choose send a "Send a message".
      5. Paste this content and send the message: 

        Test Video
        <iframe width="560" height="315" src="https://www.youtube.com/embed/vUgjNhTUrBY" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>

      6. EXPECTED RESULT: Go to private messaging to "s1" and "s2" and confirm that you cannot see the youtube video on the message and only you can see "Test Video" text.
      7. Log in as an admin.
      8. Go to the new course.
      9. Go to Participants page on the course.
      10. Select s1 and s2 and in "With selected users..." choose send a "Send a message".
      11. Paste this content and send the message: 

        Test Video
        <iframe width="560" height="315" src="https://www.youtube.com/embed/vUgjNhTUrBY" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>

      12. EXPECTED RESULT: Go to private messaging to "s1" and "s2" and confirm that you can see the youtube video on the message and  "Test Video" text. 

       

      Show
      Setup Log in as an admin Create three new users: t1, s1 and s2. Create a new course and enrol the new users: t1 as a teacher s1 and s2 as student Create a group with these three users and turn on the setting 'Group messaging' and named GroupTest. Tests Tests without trusttext Log in as "t1". As an "t1" send a message to GroupTest with this content:  Test Video <iframe width="560" height="315" src="https://www.youtube.com/embed/vUgjNhTUrBY" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe> EXPECTED RESULT:  Confirm that you cannot see the youtube video on the message and only you can see "Test Video" text. Go to Group info and select "s1" user. Send a message to "s1" user with the same content. Log in as s1. Go to GroupTest on messaging. EXPECTED RESULT:  Confirm that you cannot see the youtube video on the message and only you can see "Test Video" text. Go to Private messaging and go to the conversation with "t1". EXPECTED RESULT:  Confirm that you cannot see the youtube video on the message and only you can see "Test Video" text. As "s1" send a message to "t1" with this content:  <b>Test bold </b> EXPECTED RESULT:  Confirm that you can see the message in bold. Tests with trusttext enabled Log in as an admin. Go to Site administration > Security > Site security settings and enable "Enable trusted content" (enabletrusttext).  Go to Site administration > Users > Permissions > Define Roles to edit Teacher role and check if moodle/site:trustcontent capability (Trust submitted content) is Allow. If not, check to Allow and save. Log in as "t1". As an "t1" send a message to GroupTest with this content:  Test Video <iframe width="560" height="315" src="https://www.youtube.com/embed/vUgjNhTUrBY" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe> EXPECTED RESULT:  Confirm that you can see the youtube video on the message and  "Test Video" text. Go to Group info and select "s2" and send a message with the same content. EXPECTED RESULT:  Confirm that you cannot see the youtube video on the message and only you can see "Test Video" text. Log in as an admin. Send a private message to "s2" with the same content. EXPECTED RESULT:  Confirm that you can see the youtube video on the message and  "Test Video" text. Log in as "s1". Go to GroupTest on messaging. EXPECTED RESULT: Confirm that you can see the youtube video on the message and  "Test Video" text. Log in as "s2". Go to GroupTest on messaging. EXPECTED RESULT: Confirm that you can see the youtube video on the message and  "Test Video" text. Go to Private conversation with "t1". Send a message to "t1" with the same content. EXPECTED RESULT:  Confirm that you cannot see the youtube video on the message and only you can see "Test Video" text. As "s2" send a message to "t1" with this content:  <b>Test bold </b> EXPECTED RESULT:  Confirm that you can see the message in bold. Tests Bulk user actions   with trusttext enabled Log in as an admin. Go to preferences and select "Atto HTML editor" as Texg editor in Editor preferences. Go to Site administration > Users > Accounts > Bulk user actions Select s1 and s2 from "User in list ..." and Add to selection. In "With selected users... " choose "Send a message" and click in Go. Use < /> button in the Atto toolbar (it could be in a collapse toolbar). Paste this content and Save changes and confirm to send:  Test Video <iframe width="560" height="315" src="https://www.youtube.com/embed/vUgjNhTUrBY" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe> EXPECTED RESULT:  Go to private messaging to "s1" and "s2" and confirm that you can see the youtube video on the message and  "Test Video" text. Tests send a message from Participants list   with trusttext enabled Log in as an "t1". Go to the new course. Go to Participants page on the course. Select s1 and s2 and in "With selected users..." choose send a "Send a message". Paste this content and send the message:  Test Video <iframe width="560" height="315" src="https://www.youtube.com/embed/vUgjNhTUrBY" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe> EXPECTED RESULT:  Go to private messaging to "s1" and "s2" and confirm that you cannot see the youtube video on the message and only you can see "Test Video" text. Log in as an admin. Go to the new course. Go to Participants page on the course. Select s1 and s2 and in "With selected users..." choose send a "Send a message". Paste this content and send the message:  Test Video <iframe width="560" height="315" src="https://www.youtube.com/embed/vUgjNhTUrBY" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe> EXPECTED RESULT:  Go to private messaging to "s1" and "s2" and confirm that you can see the youtube video on the message and  "Test Video" text.   
    • Affected Branches:
      MOODLE_36_STABLE
    • Fixed Branches:
      MOODLE_37_STABLE
    • Pull Master Branch:
      MDL-65015-master

      Description

      We need to apply the Moodle standard trusttext approach to messages text to have the certainty that the text of the messages was cleaned as forum posts or entries and comments in the glossary. 

      Docshttps://docs.moodle.org/dev/Trusttext_cleaning_bypass

      Note: we don't need that cleaning on input if the contents aren't editable. And at the moment, it won't. Maybe, in the future, it could be a great feature to add the chance to edit your messages.

       
      To sum up, this a summary description table about the use of trusttext in messages:

       Individual/Group Conversation from messaging (FORMAT_MOODLE)

        trusttext enabled  trusttext disabled 
      Text to html Yes Yes
      Clean Text No Yes
      Moodle Filters Yes Yes

       

      Bulk User Action (FORMAT_HTML)

        trusttext enabled  trusttext disabled 
      Clean Text No  Yes
      Moodle Filters Yes Yes

      Bulk User Action (FORMAT_MARKDOWN)

        trusttext enabled  trusttext disabled 
      Markdown to html Yes Yes
      Clean Text No Yes
      Moodle Filters Yes Yes

       

      Send a message from Participation List (FORMAT_MOODLE)

      Currently, the messages sent through the list of participants are individual conversations and therefore the context is system.

        trusttext enabled  trusttext disabled 
      Text to html Yes Yes
      Clean Text No Yes
      Moodle Filters Yes Yes

        Attachments

        1. Screenshot_1.png
          297 kB
          Janelle Barcega
        2. Screenshot_2.png
          250 kB
          Janelle Barcega

          Issue Links

            Activity

              People

              • Votes:
                2 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  20/May/19

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 5 hours, 5 minutes
                  5h 5m