-
Improvement
-
Resolution: Unresolved
-
Minor
-
None
-
4.3
-
None
-
MOODLE_403_STABLE
$CFG->forceclean (still experimental, see MDL-62352) completely ignores the $CFG->enabletrust value and 'trusttext' property. So we have two scenarios:
1. Text is cleaned everywhere and no JS is possible ever ($CFG->foceclean = 1)
2. Text is not cleaned in a lot of areas and in some selected cases (i.e. forum posts) we can respect 'trusttext' and allow teachers to insert JS but students not. ($CFG->foceclean = 0; $CFG->enabletrust = 1;)
Following all discussions about how it would be good to clean by default but allow to insert JS somewhere it would be really good to have a third option:
3. Text is cleaned by default everywhere but in some fields (i.e. course summary or html block) people with trusttext capability should be able to insert JS. (currently not possible)
That would be a good compromise, imho.
Considering that both $CFG->forceclean and $CFG->enabletrust already exist and work the way I described above, we could probably make $CFG->forceclean to be a dropdown with several options and not a boolean, and remove the $CFG->enabletrust completely.
Thoughts?