From 5fca7310da92b3f7c0cc9a34d5ce823b1a558e87 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?David=20Mudr=C3=A1k?= <david@moodle.com>
Date: Wed, 13 Dec 2017 12:25:13 +0100
Subject: [PATCH] MDL-60940 editor: Inform the user if the forceclean flag
 would apply

This is to better communicate with users that the forceclean flag has
been set in the server administration. In places where there might
expect to be able to insert an interactive content (scripts, iframes
etc), we display a notification informing them that the content would be
cleaned.

Hopefully this will help to debug eventual regressions in content
displaying after setting the flag.
---
 lang/en/admin.php   |  1 +
 lib/form/editor.php | 12 ++++++++++++
 2 files changed, 13 insertions(+)

diff --git a/lang/en/admin.php b/lang/en/admin.php
index 789c48bbb7..27280be1ed 100644
--- a/lang/en/admin.php
+++ b/lang/en/admin.php
@@ -552,6 +552,7 @@ $string['filtersettingsgeneral'] = 'General filter settings';
 $string['filteruploadedfiles'] = 'Filter uploaded files';
 $string['forceclean'] = 'Content cleaning everywhere';
 $string['forceclean_desc'] = 'Content added to the site is normally cleaned before being displayed, to remove anything which might be a security threat. However, content is not cleaned in certain places such as activity descriptions, page resources or HTML blocks to allow scripts, media, inline frames etc. to be added. If this setting is enabled, ALL content will be cleaned. This may result in existing content no longer displaying correctly.';
+$string['forcecleanapplies'] = 'Content will be cleaned before being displayed, to remove anything which might be a security threat.';
 $string['forcelogin'] = 'Force users to log in';
 $string['forceloginforprofileimage'] = 'Force users to log in to view user pictures';
 $string['forceloginforprofileimage_help'] = 'If enabled, users must log in in order to view user profile pictures and the default user picture will be used in all notification emails.';
diff --git a/lib/form/editor.php b/lib/form/editor.php
index bbec709e96..4cda5fa823 100644
--- a/lib/form/editor.php
+++ b/lib/form/editor.php
@@ -434,6 +434,18 @@ class MoodleQuickForm_editor extends HTML_QuickForm_element implements templatab
 
         $str .= $OUTPUT->render_from_template('core_form/editor_textarea', $context);
 
+        // Inform the user if the forceclean flag would apply. See {@link format_text()} for reference.
+        if (!empty($CFG->forceclean)) {
+            $nocleanbecausesaidso = !empty($this->_options['noclean']);
+            $nocleanbecausetrusted = (!isset($this->_options['noclean']) && $this->_options['trusted'] && trusttext_active());
+            if ($nocleanbecausesaidso || $nocleanbecausetrusted) {
+                $str .= $OUTPUT->notification(
+                    get_string('forcecleanapplies', 'core_admin'),
+                    \core\output\notification::NOTIFY_INFO
+                );
+            }
+        }
+
         // during moodle installation, user area doesn't exist
         // so we need to disable filepicker here.
         if (!during_initial_install() && empty($CFG->adminsetuppending)) {
-- 
2.16.1