Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-80952

When $CFG->forceclean is enabled, $CFG->enabletrust is ignored, but the combination of them would be great

XMLWordPrintable

    • Icon: Improvement Improvement
    • Resolution: Unresolved
    • Icon: Minor Minor
    • None
    • 4.3
    • General
    • None
    • MOODLE_403_STABLE

      $CFG->forceclean (still experimental, see MDL-62352) completely ignores the $CFG->enabletrust value and 'trusttext' property. So we have two scenarios:

      1. Text is cleaned everywhere and no JS is possible ever ($CFG->foceclean = 1)

      2. Text is not cleaned in a lot of areas and in some selected cases (i.e. forum posts) we can respect 'trusttext' and allow teachers to insert JS but students not. ($CFG->foceclean = 0; $CFG->enabletrust = 1;)

      Following all discussions about how it would be good to clean by default but allow to insert JS somewhere it would be really good to have a third option:

      3. Text is cleaned by default everywhere but in some fields (i.e. course summary or html block) people with trusttext capability should be able to insert JS. (currently not possible)

      That would be a good compromise, imho.

      Considering that both $CFG->forceclean and $CFG->enabletrust already exist and work the way I described above, we could probably make $CFG->forceclean to be a dropdown with several options and not a boolean, and remove the $CFG->enabletrust completely.

      Thoughts?

            Unassigned Unassigned
            marina Marina Glancy
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.