[3.7]Block certain HTML codes

[3.7]Block certain HTML codes

by Richard van Iwaarden -
Number of replies: 6
Picture of Particularly helpful Moodlers

Today someone copied-and-paste some URL to Moodle.

In this copy-and-paste part, there was the HTML code that changed the base url:

<base href="https://badurl.com">

This messed up many URL's in Moodle. It even looked like some security breach as standard Moodle buttons and topics suddenly pointed to a completely different website.

Is there any way I can filter this HTML code in Moodle? I would not like it to be used ever again.


Average of ratings: -
In reply to Richard van Iwaarden

Re: [3.7]Block certain HTML codes

by Ken Task -
Picture of Particularly helpful Moodlers

Kinda surprising considering that any internal links in Moodle code should be using config.php variable for wwwroot in the construction of those internal links.

Mind sharing what tool (like HTML block) that html code was inserted?  Was it a customized plugin not part of core Moodle code?

'SoS', Ken

Average of ratings: -
In reply to Ken Task

Re: [3.7]Block certain HTML codes

by Richard van Iwaarden -
Picture of Particularly helpful Moodlers
It was in a html-table that was copied into a section-description. I still have part of the code:



I also inserted this html code into this post... let's see if it breaks anything smile

[edit - that's interesting... the html code is removed in this forum. So it must be my site]
Average of ratings: -
In reply to Richard van Iwaarden

Re: [3.7]Block certain HTML codes

by Ken Task -
Picture of Particularly helpful Moodlers

So the table was copied from something else ... am guessing the HTML code was not inspected prior to the pasting.   Can re-call even when using static web page creation apps, copy from the GUI page, and pasting to be an adventure sometimes ... not seeing the true HTML behind the GUI - a tag overlap, a missing closing tag, etc. could render almost useless a resulting saved page - now static.

Guess the editor in Moodle doesn't filter/trap/reject 'base href' tags in *all* HTML boxes ... any mod.

So you were able to find an correct ... that's good. smile

'SoS', Ken


Average of ratings: -
In reply to Richard van Iwaarden

Re: [3.7]Block certain HTML codes

by Michael Hawkins -
Picture of Core developers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Testers
Hi Richard,

Testing this locally on the latest stable version of Moodle, this appears to be stripped from the post when it is submitted.

When I added <base href="https://duckduckgo.com"> to my post and then switched back from HTML editor to WYSIWYG mode, that base URL would be applied to my current page (as expected), which meant that clicking "Post" would redirect me to https://duckduckgo.com/post.php, instead of publishing my message.

When I added <base href="https://mymoodlesite/mod/forum">, so that the URL was effectively unchanged (to allow "Post" to submit my message, including the <base>), the <base> tag and its contents were stripped from the message (not present in the message stored in the database, and also therefore not reflected to any other users or myself, once submitted). So it appears that you are unable to publish posts containing that tag (and if you could, they still would not be included in the post).

Can you confirm whether you were able to publish a post containing a <base> tag, or were just seeing it when the content was initially pasted into the editor? If it was able to be posted, it would be great if you could confirm which version of Moodle you are using (it may be better to send that information through to security@moodle.org rather than on the public forum, until we know the security implications of your findings).

Thanks!

Mick

Average of ratings: -
In reply to Michael Hawkins

Re: [3.7]Block certain HTML codes

by Richard van Iwaarden -
Picture of Particularly helpful Moodlers

Hi Michael,

It was not a forum post where this tag was posted. It was done by a teacher editing a topic description.

I was able to reproduce this here:

https://sandbox.moodledemo.net/course/view.php?id=2

Try editing topic 1: https://sandbox.moodledemo.net/course/editsection.php?id=4&sr and inserting the html <base href="https://duckduckgo.com">

This will be saved.

Now I don't know if this really is a bug or security issue. It's just that teachers tend to cut and paste stuff from Internet into their course. And when this HTML code is copied, many links in the course (who seem to be relative links) were destroyed.

I must add that I'm using a custom course format.

Average of ratings: -
In reply to Richard van Iwaarden

Re: [3.7]Block certain HTML codes

by Michael Hawkins -
Picture of Core developers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Testers
Hi Richard,

Thanks for the additional information, I was able to see this being saved within a section (topic) description. As far as I could see, it looked as though the only relative links on the page (by default) are those that are used to display dropdowns (such as "Edit" and "Add an activity or resource"), where href="#" becomes href="https://duckduckgo.com/#", but whose actions are overridden by JavaScript, so the change has no effect on the behaviour the page.

From a security perspective, it's also worth mentioning that editing section descriptions requires the 'moodle/course:update' capability, which is intended for trusted users such as teachers and admins, and is flagged as having XSS risk. That means users who can edit sections have permission to include JavaScript in the description, so stripping <base> tags from the HTML would not prevent them from being able to set that value.

(Apologies for the delay in responding, I looked into this further after your follow-up, but it appears that I failed to hit the post button!)
Average of ratings: Useful (2)