-
Bug
-
Resolution: Fixed
-
Minor
-
4.0.9, 4.1.4, 4.2.1
-
MOODLE_400_STABLE, MOODLE_401_STABLE, MOODLE_402_STABLE
-
MOODLE_401_STABLE, MOODLE_402_STABLE
-
MDL-78505/401 -
MDL-78505/master -
Test instructions from
MDL-32114:Setup
- Log in as a user that can create or modify a course.
- Click the user icon in the top right corner, and in the drop-down menu go to Preferences
- In the Editor preferences change the Text editor to "Plain text area"
Test Instructions
- In a course create a new Forum post.
- Click on Add a new discussion topic, set an arbitrary title, use the file content from the attached file post_text_32114.txt
as it is for the post and set the selection to Markdown format. Save your post and click to view it. - Expected result: the block quotes and the code section should be rendered correctly, there must not appear any popup. The output should look close to the screenshot mdl32114_parsed_output.png.
- Edit the post again as if you would want to do a correction
- Expected result: the markup appears as it was saved before i.e. the same content as in the file.
- Make some small changes and save the post again.
- Expected result: same as in step 3 except for the changes that you did before.
Additional tests
Area without trust text support:
- Log in as admin
- Set up your preference to use plain text editors
- Go to Site administration / Users / Accounts / Cohorts / Add new cohort
- Add a new cohort with description text from post_text_32114.txt using Markdown format
- Edit cohort and confirm the markdown text was not mangled
Trust text does not allow JavaScript (JS) via Markdown texts
- Log in as admin
- Enable the "Enable trusted content" admin setting
- Set up your preference to use plain text editors
- Add forum with post with text from post_text_32114.txt using Markdown format
- Confirm that JS alerts samples in the post are not triggered
- Edit the post and confirm the Markdown text is not mangled
Areas with "noclean" texts must allow JS
- Log in as admin
- Make sure the "Enable trusted content" admin setting is disabled
- Set up your preference to use plain text editors
- Add page resource to course with text from post_text_32114.txt using Markdown format
- Confirm that JS alerts in page resource are triggered
- Edit the page resource and confirm the Markdown text is not mangled
Test instructions from MDL-32114 : Setup Log in as a user that can create or modify a course. Click the user icon in the top right corner, and in the drop-down menu go to Preferences In the Editor preferences change the Text editor to "Plain text area" Test Instructions In a course create a new Forum post . Click on Add a new discussion topic, set an arbitrary title, use the file content from the attached file post_text_32114.txt as it is for the post and set the selection to Markdown format. Save your post and click to view it. Expected result: the block quotes and the code section should be rendered correctly, there must not appear any popup . The output should look close to the screenshot mdl32114_parsed_output.png . Edit the post again as if you would want to do a correction Expected result: the markup appears as it was saved before i.e. the same content as in the file. Make some small changes and save the post again. Expected result: same as in step 3 except for the changes that you did before. Additional tests Area without trust text support: Log in as admin Set up your preference to use plain text editors Go to Site administration / Users / Accounts / Cohorts / Add new cohort Add a new cohort with description text from post_text_32114.txt using Markdown format Edit cohort and confirm the markdown text was not mangled Trust text does not allow JavaScript (JS) via Markdown texts Log in as admin Enable the "Enable trusted content" admin setting Set up your preference to use plain text editors Add forum with post with text from post_text_32114.txt using Markdown format Confirm that JS alerts samples in the post are not triggered Edit the post and confirm the Markdown text is not mangled Areas with "noclean" texts must allow JS Log in as admin Make sure the "Enable trusted content" admin setting is disabled Set up your preference to use plain text editors Add page resource to course with text from post_text_32114.txt using Markdown format Confirm that JS alerts in page resource are triggered Edit the page resource and confirm the Markdown text is not mangled
MDL-32114 created a regression where format_text() ignores noclean option for FORMAT_MARKDOWN.
This is incorrect and inconsistent with all other text formats.
This code:
// The markdown parser does not strip dangerous html so we need to clean it, even if noclean is set to true.
|
$text = clean_text($text, FORMAT_HTML, $options);
|
should be reverted back to
if (!$options['noclean']) { |
$text = clean_text($text, FORMAT_HTML, $options);
|
}
|
The problem here is that trusttext is fundamentally incompatible with markdown because we cannot sanitise it before conversion to Markdown.
Unfortunately MDL-64240 had the wrong idea that any text format can be cleaned, oh well, that must be fixed first.
At the same time MDL-32114 did not fix the markdown editing problem in areas that do not use trust text.
- has to be done after
-
-
- Closed
-
- is a regression caused by
-
-
- Closed
-
-
-
- Closed
-
- is blocked by
-
-
- Closed
-
- will help resolve
-
-
- Closed
-
