Trusted contents from users

Trusted contents from users

by Mahmood Naderan -
Number of replies: 6

In the security report, I see

RISK_XSS - found 9385 users that have to be trusted.

That is our total users! I then checked student role and saw that the following feature is infact disabled.

Trust submitted content
moodle/site:trustcontent

I mean the "allow" box is not marked. So, what else should I do?

Average of ratings: -
In reply to Mahmood Naderan

Re: Trusted contents from users

by Randy Thornton -
Picture of Documentation writers
Mahmood,

Check the setting in Site administration > Security > Site security settings :: Enable trusted content. Then also check the Authenticate user role for the permission you looked at for the Student role. All users belong to the Authenticated user role upon login.
Average of ratings: -
In reply to Randy Thornton

Re: Trusted contents from users

by Mahmood Naderan -
The "Enable trusted content" is not marked and the default is NO.
Should I do something more?
I have been confused about that. Don't know if the rules are OK or not.
Average of ratings: -
In reply to Mahmood Naderan

Re: Trusted contents from users

by Michael Hawkins -
Picture of Core developers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Testers
Hi Mahmood,

Having that not marked sounds correct. There are many capabilities in Moodle that are flagged with the XSS risk (by default usually only assigned to teachers/managers/admins), so I think you need to check the list of all assigned capabilities for users such as students, to figure out which capability they have been assigned that has that flag.

I think what Randy is suggesting is that if you can't find any capability students have been assigned that is flagged with XSS risk, then it may be a capability assigned to all authenticated users, so that role's capabilities would also be worth checking.
Average of ratings: -
In reply to Michael Hawkins

Re: Trusted contents from users

by Randy Thornton -
Picture of Documentation writers
Exactly as Michael says. Since the number you see in the report is the same number as your total number of users, this capability is probably set on for the Authenticated user role.
Average of ratings: -
In reply to Randy Thornton

Re: Trusted contents from users

by Mahmood Naderan -
For both "authenticated user" and "student", the following feature is not marked.

Trust submitted content
moodle/site:trustcontent

Really...
Since it is in the middle of the page, can not show that feature is disabled for those roles.
If you tell me the query command I will paste that here.
Average of ratings: -
In reply to Mahmood Naderan

Re: Trusted contents from users

by Michael Hawkins -
Picture of Core developers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Testers
Hi Mahmood,

Trustcontent is not the only capability which is flagged with XSS risk, there are numerous.

To check which capability (or capabilities) are causing this, first navigate to /admin/roles/manage.php and click on "Authenticated user" to view its role definition. Just above the start of the list of capabilities, you should see a row titled "Role risks", which will have some triangle icons next to it to highlight which risks the role poses. On that row, if you see a red triangle with an exclamation mark in it (when you mouseover it, it will also say "XSS risk"), then the role contains some capability that has an XSS risk.

The end column of the capability table on that page shows and risks each capability is flagged with. To find the exact capability/capabilities with that risk, scroll down the capability list and find any with the same red triangle icon in the Risks column. Those are the capabilities that have been added to the role, which are flagged as having an XSS risk.

If you don't find any for the authenticated user role, try checking other user roles which shouldn't have access to XSS flagged capabilities, such as student, using the same steps outlined above, since it's possible something has been individually assigned to each role.

I hope that helps you pinpoint what you are looking for.
Average of ratings: -