Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-66486

"Login as" applies forceclean to all content, not just that which is untrusted

XMLWordPrintable

    • MOODLE_35_STABLE, MOODLE_36_STABLE, MOODLE_37_STABLE, MOODLE_38_STABLE, MOODLE_39_STABLE, MOODLE_401_STABLE, MOODLE_402_STABLE, MOODLE_404_STABLE

      To recreate

      1. Embed a youtube video on the course page
      2. Note that the video is showing
      3. Login as another user in the course with the "Login as" button
      4. Note that the video is not showing

      Same thing occur in Book and other resources and activities.

       

      Update by MH: We apply forceclean to 'login as' sessions to prevent JavaScript risks from untrusted content (such as students' dashboards), but there needs to be further investigation into whether it's: 1) possible and 2) safe, to apply this sanitizing only on the pages where it is required, so that teachers can still see "trusted" content (such as iframes and JavaScript included by teachers within a course) when logging in as their students.

            Votes:
            26 Vote for this issue
            Watchers:
            23 Start watching this issue

              Created:
              Updated:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.