Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-80953

Tiny is more strict than Atto for e.g. onclick JavaScript action

    • MOODLE_403_STABLE, MOODLE_404_STABLE
    • MDL-80953-main
    • Hide

      Disable the editor when editing special HTML

      Show
      Disable the editor when editing special HTML
    • Easy
    • Hide

      Prerequisites

      • Create a course with a page activity
      • Have the TinyMCE as the prefered editor.

      Test instructions

      First part

      • Edit the page activity, change to the source view in the Tiny and add the following text:
      <table>
      <tbody>
      <tr>
      <td class="styleid"> <button class="button" onclick="alert('horray')">click me</button></td>
      </tr>
      </tbody>
      </table>
      • Hit the Save button to switch back to WYSIWYG mode.
      • Go back to the source code button.

      Expected outcome: the onclick attribute vanished.

      Second part

      • Change the settings, go to the Site administration -> Plugins -> Text editors -> TinyMCE editor -> General settings.
      • Change the value of editor_tiny | extended_valid_elements to script[*],p[*],i[*],button[onclick] and click save.
      • Go to the page activity, repeat the steps from above.

      Expected outcome: This time after switching back from the WYSIWYG mode again into the source code mode, the onclick attribute should be still inside the button element.

      Show
      Prerequisites Create a course with a page activity Have the TinyMCE as the prefered editor. Test instructions First part Edit the page activity, change to the source view in the Tiny and add the following text: <table> <tbody> <tr> <td class="styleid"> <button class="button" onclick="alert('horray')">click me</button></td> </tr> </tbody> </table> Hit the Save button to switch back to WYSIWYG mode. Go back to the source code button. Expected outcome: the onclick attribute vanished. Second part Change the settings, go to the Site administration -> Plugins -> Text editors -> TinyMCE editor -> General settings. Change the value of editor_tiny | extended_valid_elements to script [*] ,p [*] ,i [*] ,button [onclick] and click save. Go to the page activity, repeat the steps from above. Expected outcome: This time after switching back from the WYSIWYG mode again into the source code mode, the onclick attribute should be still inside the button element.

      As a teacher, if you insert the block

      <table>
          <tbody>
              <tr>
                  <td class="styleid"> <button class="button" onclick="hideallexcept('hiding', 'description2')">136</button></td>
              </tr>
          </tbody>
      </table>
      

      in an editor (in a text and media area), Tiny would filter out the onclick part, when Atto leaves it in.

      FULL STEPS

      1. As a teacher, in a course, add a text and media area, switch to source code view and paste the above code, then save.

      WHAT YOU EXPECTED
      The onclick code stays in.

      WHAT ACTUALLY HAPPENS
      The onclick code is filtered out.

            strobotta Stephan Robotta
            lucaboesch Luca Bösch
            Alex Yeung Alex Yeung
            Votes:
            11 Vote for this issue
            Watchers:
            15 Start watching this issue

              Created:
              Updated:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.