Tracker link: MDL-46269
Security and privacy
HTTP to HTTPS converter for external content
Personally I think the "new content" issue should be resolved in the editor on saving content - it would be nice if it could do an automatic check and fix anything it can fix automatically and then warn the user perform some validation to report to the user that to embed the content they must find an https link.
Then we can just use an admin tool to fix "existing" content and don't need to rely on a filter that adds performance overheads to the site.
Yeah the filter is added overhead. Then again, if we don't implement a filter, we will need the admin tool to run during upgrade, then again once the admin finishes putting together their whitelist.
The filter would work nicely for existing content, allowing the admin to locate items that don't work and gradually add them to the whitelist, without having to run the tool each time.
A filter could modify the embedded url, if it was programmed to do so. But it would not be able to change the url in the URL resource's settings. Only the admin tool could achieve that.
My attempt to write such a filter succeeded in influencing the intro contents of a URL resource -- so I know it is working -- but did not affect the value of the URL itself that was used to build the iframe markup. Looking at /mod/url/locallib.php I can see where some of the settings are being passed through filtering, but I can't see where $exteurl gets filtered. Is there some way, from within the filter (without hacking mod_url) to invoke a filter on that value?
I've tried the filter you proposed in connection with MDL-46296 and while it will modify an iframe src that is added to a textarea, it does not modify the "External URL" value for an embedded URL resource. I know that it won't change the setting, but it seems not to filter it, either.