[3.7]Block certain HTML codes

Re: [3.7]Block certain HTML codes

by Richard van Iwaarden -
Number of replies: 1
Picture of Particularly helpful Moodlers

Hi Michael,

It was not a forum post where this tag was posted. It was done by a teacher editing a topic description.

I was able to reproduce this here:

https://sandbox.moodledemo.net/course/view.php?id=2

Try editing topic 1: https://sandbox.moodledemo.net/course/editsection.php?id=4&sr and inserting the html <base href="https://duckduckgo.com">

This will be saved.

Now I don't know if this really is a bug or security issue. It's just that teachers tend to cut and paste stuff from Internet into their course. And when this HTML code is copied, many links in the course (who seem to be relative links) were destroyed.

I must add that I'm using a custom course format.

Average of ratings: -
In reply to Richard van Iwaarden

Re: [3.7]Block certain HTML codes

by Michael Hawkins -
Picture of Core developers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Testers
Hi Richard,

Thanks for the additional information, I was able to see this being saved within a section (topic) description. As far as I could see, it looked as though the only relative links on the page (by default) are those that are used to display dropdowns (such as "Edit" and "Add an activity or resource"), where href="#" becomes href="https://duckduckgo.com/#", but whose actions are overridden by JavaScript, so the change has no effect on the behaviour the page.

From a security perspective, it's also worth mentioning that editing section descriptions requires the 'moodle/course:update' capability, which is intended for trusted users such as teachers and admins, and is flagged as having XSS risk. That means users who can edit sections have permission to include JavaScript in the description, so stripping <base> tags from the HTML would not prevent them from being able to set that value.

(Apologies for the delay in responding, I looked into this further after your follow-up, but it appears that I failed to hit the post button!)
Average of ratings: Useful (2)