Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-66486

"Login as" applies forceclean to all content, not just that which is untrusted

    XMLWordPrintable

Details

    • MOODLE_35_STABLE, MOODLE_36_STABLE, MOODLE_37_STABLE, MOODLE_38_STABLE, MOODLE_39_STABLE, MOODLE_401_STABLE, MOODLE_402_STABLE

    Description

      To recreate

      1. Embed a youtube video on the course page
      2. Note that the video is showing
      3. Login as another user in the course with the "Login as" button
      4. Note that the video is not showing

      Same thing occur in Book and other resources and activities.

       

      Update by MH: We apply forceclean to 'login as' sessions to prevent JavaScript risks from untrusted content (such as students' dashboards), but there needs to be further investigation into whether it's: 1) possible and 2) safe, to apply this sanitizing only on the pages where it is required, so that teachers can still see "trusted" content (such as iframes and JavaScript included by teachers within a course) when logging in as their students.

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              cdipe Peter Diedrichs
              David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo, David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo, David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo
              Votes:
              25 Vote for this issue
              Watchers:
              22 Start watching this issue

              Dates

                Created:
                Updated: