Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-66486

"Login as" applies forceclean to all content, not just that which is untrusted

    XMLWordPrintable

    Details

    • Affected Branches:
      MOODLE_35_STABLE, MOODLE_36_STABLE, MOODLE_37_STABLE, MOODLE_38_STABLE, MOODLE_39_STABLE

      Description

      To recreate

      1. Embed a youtube video on the course page
      2. Note that the video is showing
      3. Login as another user in the course with the "Login as" button
      4. Note that the video is not showing

      Same thing occur in Book and other resources and activities.

       

      Update by MH: We apply forceclean to 'login as' sessions to prevent JavaScript risks from untrusted content (such as students' dashboards), but there needs to be further investigation into whether it's: 1) possible and 2) safe, to apply this sanitizing only on the pages where it is required, so that teachers can still see "trusted" content (such as iframes and JavaScript included by teachers within a course) when logging in as their students.

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            cdipe Peter Diedrichs
            Participants:
            Component watchers:
            Andrew Lyons, Dongsheng Cai, Huong Nguyen, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze, Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias, Sujith Haridasan, Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Ilya Tregubov, Sara Arjona (@sarjona)
            Votes:
            23 Vote for this issue
            Watchers:
            20 Start watching this issue

              Dates

              Created:
              Updated: