Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-77000

Cannot add custom data- attributes using MarkdownExtra

    XMLWordPrintable

Details

    • MDL-77000-401
    • MDL-77000-402
    • MDL-77000-master
    • Hide

      Test instructions

      1) Login as a user who has page editing permissions.

      2) In user preferences change editor to PlainText Area.

      3) In a course create a new activity of "Text and media area" or "Page" in an arbitrary section.

      4) Below the textfield of "Page content" change the selection to "Markdown format" and paste this markdown code:

      That's some text with a footnote.[^1] The note must appear at
      the end of the page.

      Here comes some code:
      ``` {.someclass lang=en data-foo=bar}
      def somecode():
          print("Hello World")
      somecode()
      ```
      And here some other code:
      ``` {.otherclass lang=se data-foo=bas}
      <script>
          alert('horray');
      </script>
      ```
      And finally here we try to use some XSS in the code attributes:
      ``` {.otherclass lang=xss data-proc=alert('ups xss alarm'}
      import os;
      if {}main{}:
          print(os.path())
      ```
      This is the end of the text.

      [^1]: And that's the footnote.

          That's the second paragraph.

       

      5) Save and display.

      What is expected:

      1) When you see the rendered result it should look very similar to the screenshot

      2) Open the source code of the page (search for "hello" to get at the correct position), the three <code> elements should look like:

       
      <pre><code class="someclass" lang="en" data-foo="bar">def somecode():
          print("Hello World")
      somecode()
      </code></pre>

      <p>And here some other code:</p>

      <pre><code class="otherclass" lang="se" data-foo="bas"><script>
      alert('horray');
      </script>
      </code></pre>

      <p>And finally here we try to use some XSS in the code attributes:
      <code>{{{}

      {.otherclass lang=xss data-proc=alert('ups xss alarm'}

      {}}}

      import os;
      if {}{}main__:
      print(os.path())</code>

      Note that the first two <code> elements contain the attributes that were given in the markuptext while the latter is some invalid markup and is not rendered correctly (but also no XSS alert etc. pops up).
       

      Show
      Test instructions 1) Login as a user who has page editing permissions. 2) In user preferences change editor to PlainText Area. 3) In a course create a new activity of "Text and media area" or "Page" in an arbitrary section. 4) Below the textfield of "Page content" change the selection to "Markdown format" and paste this markdown code: That's some text with a footnote. [^1] The note must appear at the end of the page. Here comes some code: ``` {.someclass lang=en data-foo=bar } def somecode():     print("Hello World") somecode() ``` And here some other code: ``` {.otherclass lang=se data-foo=bas } <script>     alert('horray'); </script> ``` And finally here we try to use some XSS in the code attributes: ``` {.otherclass lang=xss data-proc=alert('ups xss alarm' } import os; if { }main{ } :     print(os.path()) ``` This is the end of the text. [^1] : And that's the footnote.     That's the second paragraph.   5) Save and display. What is expected: 1) When you see the rendered result it should look very similar to the screenshot 2) Open the source code of the page (search for "hello" to get at the correct position), the three <code> elements should look like:   <pre><code class="someclass" lang="en" data-foo="bar">def somecode():     print("Hello World") somecode() </code></pre> <p>And here some other code:</p> <pre><code class="otherclass" lang="se" data-foo="bas"><script> alert('horray'); </script> </code></pre> <p>And finally here we try to use some XSS in the code attributes: <code> {{{} {.otherclass lang=xss data-proc=alert('ups xss alarm'} {}}} import os; if { } { }main__: print(os.path())</code> Note that the first two <code> elements contain the attributes that were given in the markuptext while the latter is some invalid markup and is not rendered correctly (but also no XSS alert etc. pops up).  

    Description

      Issue occurred upon update to Moodle 4.0.6 and 4.1.1. Did not exist in prior version.

      When using MarkdownExtra, cannot add custom data- attributes into code blocks anymore. Certain attributes such as lang, class still work.

      Steps:

      1) Login as a user who has page editing permissions.

      2) Change editor to PlainText.

      3) Edit the page and "Add an activity or resource" of "Text and media area" in an arbitrary section.

      4) Change the editor to Markdown and paste in the below valid MarkdownExtra code:

      ``` {.someclass lang=en data-foo=bar}
      def somecode():
          print("Hello World")
      somecode()
      ```
      

      5) Save and return.

      6) Inspect the element.

      What was expected:

      Inspected code element having attributes:

      <code class="someclass" lang="en" xml:lang="en" data-foo="bar" ...

      What actually happens:

      Inspected code element has the following attributes:

      <code class="someclass" lang="en" xml:lang="en" ...

      Some attributes like lang and class are not stripped out. Data-attributes are removed.

      Why this matters:

      https://github.com/fastsandslash/moodle-filter_ace_inline

      Is a filter I am wanting to submit to the Moodle Repository.

      https://coderunner.org.nz/mod/page/view.php?id=545

      Is expected usage and behaviour.

      The use of MarkdownExtra is one of the supported methods of easy code creation for users, especially if importing questions created outside of Moodle.

      Attachments

        Issue Links

          Activity

            People

              strobotta Stephan Robotta
              fastsandslash Michelle Hsieh
              Jordi Pujol-Ahulló Jordi Pujol-Ahulló
              Andrew Lyons Andrew Lyons
              Votes:
              2 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 3 hours
                  3h

                  Clockify

                    Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.