Moodle 2.2, TinyMce stripping out code

Moodle 2.2, TinyMce stripping out code

by Glenys Hanson -
Number of replies: 9

Hi everyone,

I'm sure that TinyMce is set to strip out code on these forums for security reasons. Is there any workaround? We language teacher are so desperate to integrate audio and video (I mean where stuents can express themselves orally, not just listen) into our Moodle courses especially with NanoGong not being updated for Moodle 2.

I tried to demonstrate on the Moodle Lang course (in teacher role): the Google audio Flash player but though you can see the player, it doesn't play.

Frankie Kam tried too but in student role you can't even see the player. 

Mmmm... any solution? Am I asking in the right place? I thought of the Tracker but it seems to me to be more of a political than a technical problem.

Happy New Year to all of you.

Glenys

PS: I tried to show you the player here, but as a "student" it was completely stripped.

Average of ratings: -
In reply to Glenys Hanson

Re: Moodle 2.2, TinyMce stripping out code

by Brent Lee -

Hi Glenys,

This sounds like enabling a filter may solve.

Administration -- Plugins -- Filters 

 

--Brent

Average of ratings: -
In reply to Glenys Hanson

Re: Moodle 2.2, TinyMce stripping out code

by Mauno Korpelainen -

Hi Glenys,

TinyMCE is not stripping those tags, it's caused by security policy of moodle in such activities that students are allowed to add content: forums, wikis, blogs, user profiles,... trusted content ( = allowed_tags in weblib.php).

If you want to use object tags everywhere you can check settings

Allow EMBED and OBJECT tags

and

Enable trusted content

from Security > Site policies

The only (security) problem is that it gives the same capability to students as well - not only administrators and teachers - and some users might try to add malicious code using these tags instead of educational material.

You can anyway (without changes to site policy) use object tags in topics, labels, file attachments etc and make a link to such pages/activities in your forum posts (on your local site). If you want to demonstrate such things in moodle.org forum posts you could either create a html file with that feature and attach the file to your forum post or save the file elsewhere (any address in www) and create a link to that file - but not embed the content directly to forum post with object tags. Multimedia filter (link to video/audio file) can handle some video/audio content like youtube files but not all web video/audio resources.

Average of ratings: -
In reply to Mauno Korpelainen

Re: Moodle 2.2, TinyMce stripping out code

by Glenys Hanson -

Hi Mauno,

Thanks for clarifying things.

I'd already provided a link to another site so users could see the player working but it would have been neater to put it in the Moodle forum.

I still find it a bit strange that in "teacher role" on Moodle Lang I can make the Google audio player appear but it doesn't work: see here.

This is the code I'm using:

<object type="application/x-shockwave-flash" data="http://flash-mp3-player.net/medias/player_mp3_maxi.swf" width="200" height="20"><param name="movie" value="http://flash-mp3-player.net/medias/player_mp3_maxi.swf" /><param name="bgcolor" value="#ffffff" /><param name="FlashVars" value="mp3=http://www.gstatic.com/dictionary/static/sounds/de/0/pumpkin.mp3&amp;autoload=1" /></object>

Cheers,

Glenys

Average of ratings: -
In reply to Glenys Hanson

Re: Moodle 2.2, TinyMce stripping out code

by Mauno Korpelainen -

In that forum/post moodle.org seems to render the player but the object tags don't work - you can't hear the word by clicking the play button.

My quess is that your Lang forum post is trying to use either the flash file link or mp3 file link directly with multimedia filter instead of object tags...

But it is never possible to use object tags in forums unless site policy has been changed to allow object tags and that should never be possible in moodle.org forums.

Let's test plain links that should not play the file:

1) swf file: http://flash-mp3-player.net/medias/player_mp3_maxi.swf

2) mp3 file: http://www.gstatic.com/dictionary/static/sounds/de/0/pumpkin.mp3&amp;autoload=1

 If you follow the link the first link renders the player but since multimedia filter here does not embed swf files nothing happens...

3) plain mp3 file link without autoload end:

( I removed &amp;autoload=1 )

Average of ratings: -
In reply to Mauno Korpelainen

Re: Moodle 2.2, TinyMce stripping out code

by Glenys Hanson -

Hi Mauno,

Thanks so much - took me a little while to understand what you meant by a "plain mp3 link" - I'm a bit slow.

Now I can tell the people over on Lang Teaching and they'll think I'm smart. wink

Cheers,

Glenys

 

Average of ratings: -
In reply to Mauno Korpelainen

Re: Moodle 2.2, TinyMce stripping out code

by Chris Fryer -
The only (security) problem is that it gives the same capability to students as well - not only administrators and teachers - and some users might try to add malicious code using these tags instead of educational material.

I don't think that's the case. Only users with a role that has the moodle:site/trustcontent capability can use "unsafe" HTML elements. At our site, that only includes Managers and Editing Teachers. See /admin/tool/capability/index.php on your Moodle installation

Average of ratings: -
In reply to Chris Fryer

Re: Moodle 2.2, TinyMce stripping out code

by Mauno Korpelainen -

If moodle 2.2 has not changed the capability checking code recently vs site policy I might still say that if you select (check)

Allow EMBED and OBJECT tags

from Site administration > Security > Site policies

you override this capability check and give also students the capability to use Object and Embed tags everywhere in moodle

See

http://docs.moodle.org/22/en/Site_policies#Allow_EMBED_and_OBJECT_tags

On the other hand

http://docs.moodle.org/22/en/Site_policies#Enable_trusted_content seems to be going through some changes in development process

http://docs.moodle.org/dev/Trusttext_cleaning_bypass so I am not 100% sure about the current situation of effect of this setting (Enable trusted content) wink

Anyway the best (easiest/safest) option is to use multimedia plugin / filter ( = links to files that filter converts to correct tags) to add embedded media to moodle instead of using object / embed tags directly.

Average of ratings: -
In reply to Mauno Korpelainen

Re: Moodle 2.2, TinyMce stripping out code

by Dio P -

When I am writing on tinymce in wiki and writing an html code like Test, the onclick, rel and all other attributes from the anchor tag are getting stripped. However when I am writting the same code in the tinymce editor in the forum, then it does not strip the anchor tag. I don't know what to do, I have been searching for weeks but nothing works. I have granted both theAllow EMBED and OBJECT tags and Enable trusted content and also did that for every user.

 

Average of ratings: -
In reply to Dio P

Re: Moodle 2.2, TinyMce stripping out code

by Christopher Perkins -

Do an admin search for "purifier" and disable the html purifier option. That should keep moodle from stripping your markup.

Average of ratings: -