Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-54883

Comments should not allow to type any HTML

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Minor Minor
    • None
    • 3.1, 3.4.2
    • Comments
    • MOODLE_31_STABLE, MOODLE_34_STABLE

      The comments API allows to put HTML formatted comments. Even though It is properly sanitised from embedded javascript and nasty formatting (such as position:fixed styles etc), it can be still abused for social engineering tricks.

      Many users are not even aware that HTML can be used there as they can't see any editor at the first place. I don't think the solution is to add the editor (as requested in MDL-24598). I believe the comments should behave much like facebook - plain text messages with support for sharing images and links, but in a controlled manner and not via raw HTML.

            Unassigned Unassigned
            mudrd8mz David Mudrák (@mudrd8mz)
            Votes:
            1 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.