Can't Reference JavaScript Files Unless Inside of PHP?

Can't Reference JavaScript Files Unless Inside of PHP?

by Jesse Morton -
Number of replies: 6

Hi, for Moodle 2.0, I've seen JavaScript guidelines at http://docs.moodle.org/en/Development:JavaScript_guidelines and http://docs.moodle.org/en/Development:JavaScript_usage_guide Both seem to point to including JavaScript files using PHP. In our enterprise-level hosting of Moodle at a major university, though, we as web developers and users don't have access to modify any PHP files, themes, etc.

Does Moodle 2.0 actually exclude the possibility of referencing external JavaScript files through the text editor? I found that I can paste inline JavaScript into the editor on a page-by-page basis, but I'd like the code to be reusable by putting it into an external file. When I do that, and try to reference it, the text editor strips out the src="" property's value. We used JavaScript files extensively in our 1.9 courses, providing additional interactivity than what Moodle itself has.

Please let me know if you have any suggestions and/or whether this question belongs elsewhere in the forums. Thanks!

Jesse

Average of ratings: -
In reply to Jesse Morton

Re: Can't Reference JavaScript Files Unless Inside of PHP?

by Itamar Tzadok -

Disable the editor (set to 'use standard web forms') in your user profile for adding/editing these references. See image for reference. smile

Attachment userprofile-usehtmleditor.png
Average of ratings: Useful (1)
In reply to Itamar Tzadok

Re: Can't Reference JavaScript Files Unless Inside of PHP?

by Jesse Morton -

Thanks for the tip!

I'm able to change it to "use standard web forms", and it acts like it saved when I click "Update profile", but if I go back into my profile it's reverted back to the HTML editor... Perhaps it's something local to my school, where they've disabled that feature and just haven't disabled the dropdown menu on the profile page.

If I am able to get it to just use web forms, it could still be problematic if someone else that has their setting on HTML editor, goes into a page, makes a text update, and saves. Is that right? We will often have that scenario, with faculty editing the content in their course that we built.

It seems like the administrators would need to disable that JavaScript-stripping feature of the text editor in that case. Thanks for your input!

Jesse

Average of ratings: -
In reply to Jesse Morton

Re: Can't Reference JavaScript Files Unless Inside of PHP?

by Itamar Tzadok -
Another possible approach (until the administrators disable the filtering ...) is to add the reference to the js file by inline scripting. Something like:

var jscript=document.createElement('script');
jscript.type='text/javascript';
jscript.src='...';
var head=document.getElementsByTagName('head')[0];
head.appendChild(jscript);

hth smile
Average of ratings: -
In reply to Itamar Tzadok

Re: Can't Reference JavaScript Files Unless Inside of PHP?

by Jesse Morton -

Nicely done! That allows the referencing and is also not affected by going in and editing/saving the page again.

Thanks,

Jesse

Average of ratings: -
In reply to Jesse Morton

Re: Can't Reference JavaScript Files Unless Inside of PHP?

by Tim Hunt -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers

This reply is more an explanation of what is going on that an actual answer to your question. ("To understand all is to forgive all.")

I don't know how much you know about the security of web applications, but the point is that allowing users to type JavaScript into web forms that is later sent to other users is fundamentally insecure. If you don't currently understand this, and wish to, then Google XSS (Cross-site scripting).

However, as in your situation, there are times when teachers need to embed JavaScript for valid reasons. Therefore, Moodle takes the pragmatic decision to allow trusted users (teachers) to add JavaScript in certain places (basically, those places where only teachers can edit the content).

Still, we spend much more time worrying about making it impossible for Students to embed content anywhere, than we do about making it easy for teachers to add JavaScript. It probably should not be as difficult as it currently is. That is probably a minor bug, but I don't know enough about the details.

Average of ratings: -
In reply to Tim Hunt

Re: Can't Reference JavaScript Files Unless Inside of PHP?

by Jesse Morton -

Thanks for the background info, Tim. I am familiar with the security risks involved, so understand why it's not wide open for inserting JavaScript.

I wasn't aware of the different permissions for teachers and students, though it makes sense. As a quick test, I was able to insert inline JavaScript in a forum post as a teacher but not as a student.  The text editor allowed it in both cases, but when I saved it, the server-side code stripped the student's JavaScript. Good to know!

Average of ratings: -