Filter JavaScript

Former user Account Deleted

If you create a new discussion, it appears not to clean up any js that may contain xss code etc.

This commit: https://bitbucket.org/covuni/moodle-block_discussion_feed/commits/151c8e2177548e0107139098333f379475be5b90 is an interim fix for this so that when creating a new discussion, the web service called (when clicking send) will only accept text content, and presents an error if anything other than that is added. This mimics the behaviour of reply button, which already behaves like this. It’s not ideal in the sense of the message presented (in that, it’s a generic message coming back from the web service).

@Jeremy Hopkins This needs looking at further, as there is a setting called “trusted content” within Moodle. When checked, it allows users with the “trusted content” permission to add html and script code. Should we mimic this behaviour and allow that within the discussion feed? In essence we can just do what mod/forum/post.php would do in those scenarios. There is an argument perhaps for not allowing this though and keep it simple in this block?

2019-07-31T11:52:39+00:00

Comments (2)

Former user Account Deleted
If you create a new discussion, it appears not to clean up any js that may contain xss code etc.

This commit: https://bitbucket.org/covuni/moodle-block_discussion_feed/commits/151c8e2177548e0107139098333f379475be5b90 is an interim fix for this so that when creating a new discussion, the web service called (when clicking send) will only accept text content, and presents an error if anything other than that is added. This mimics the behaviour of reply button, which already behaves like this. It’s not ideal in the sense of the message presented (in that, it’s a generic message coming back from the web service).

@Jeremy Hopkins This needs looking at further, as there is a setting called “trusted content” within Moodle. When checked, it allows users with the “trusted content” permission to add html and script code. Should we mimic this behaviour and allow that within the discussion feed? In essence we can just do what mod/forum/post.php would do in those scenarios. There is an argument perhaps for not allowing this though and keep it simple in this block?
- 2019-07-31T11:52:39+00:00
Former user Account Deleted
- changed status to on hold
- 2019-07-31T13:55:08+00:00
Log in to comment