I just tried to work this out. If your plugin has an admin_setting_confightmleditor setting, what is the correct way to output that? Normally when you output something that was user intput, you pass it through format_text(), format_string() or s(), and doing this is an important security thing.
My normal approach to try to answer this question is to look for example in the standard Moodle code. There is no advice in the doc-comment on admin_setting_confightmleditor. There are only a few examples where it is used. However, in this case, looking at the example just left me confused:
- maintenance_message is a special case. The maintenance message can be displayed when Moodle is in mid upgrade, so you can't rely on anything working, so it is just output with no extra processing.
- backup/backup_async_message goes into an email, not displayed on-screen, so that is different.
- auth_instructions - if you decode auth/classes/output/login.php, this eventually gets passed through external_format_text (with hard-coded FORMAT_MOODLE). Since web services are almost certainly not involved, that seems like a dangerous example to copy.
- auth_shibboleth does format_text($config->auth_instructions); but that turns out to be a setting that came from an admin_setting_configtextarea.
Before doing all this research, my guess would have been format_text($CFG->thing, FORMAT_HTML).
If anyone thinks they know the 'right' answer here, please let me know. Thanks.
