Trusttext cleaning bypass
Martin Dougiamas proposed a new way to allow specific group of users enter JavaScript and all other tags into places where all text is normally cleaned. This feature was implemented in Moodle 1.7. Please note that this feature is turned off by default. This page was originally part of Hardening new Roles system.
How to enable trusttext
- Allow capability moodle/site:trustcontent for all users that should be able to enter non-checked HTML - please be careful, they can launch XSS attacks on other users!
- Enable trusttext option via Settings > Site administration > Security > Site policies
Implementation
Trusttext implementation uses special marker #####TRUSTTEXT##### stored in the original text to indicate that the text is trusted. This marker is added into the text before storing in database and later is used to decide if the text should be cleaned or not. There are several functions that make the conversion of text fields a bit easier, but due to the fact that trusted information is stored inside of untrusted text the implementation might be a bit problematic.
Code conversion steps
- use trusttext_prepare_edit() to prepare text before print_text_area() - it strips trusttext marker and cleans the text if necessary
- use trusttext_after_edit() to add trusttext marker before storage into database - it does all the capability checks
- in case you need to do any text processing after retrieving the text from database and sending it to print_text()
- always first detect presence of trusttext marker in text
- strip the marker with trusttext_strip()
- do the text processing
- add the marker again if originally present with trusttext_mark()
- if not originally present strip the marked that might been unintentionally created during the textprocessing!
- use $options->trusttext=1 for format_text() when printing text as HTML
- during upgrade remove trusttext marker from existing data in database that might have been already entered into database
- fix restore code to strip the marker when restoring from older versions
- fix import/export to strip the trusttext marker
Why do some of these have to be manual steps? Why can's print_text_area() call trusttext_prepare_edit() for you? Why can't clean_param do trusttext_after_edit() the moment the data is received?--Tim Hunt
Of course we can integrate it more into those functions. On the other hand I like the possibilitiy to search for 'trusttext' string when reviewing the implementation, you know the use of trusttext is IMO error prone. --Petr Škoda (škoďák)
Note this ended up way more complex than that I had ever originally proposed (see Proposal 2) to the point where it's almost impossible to use now. I would still like to see it simplified. --Martin Dougiamas
Alternative implementation
It is also possible to add new field to existing database tables and store the trust information there. Capability moodle/site:trustedcontent would be used too; the trusttext configuration switch not. It is recommended to store the original author of the text and validate all data properly before printing.
Current conversion status
Already converted
- Glossary - entries, comments
- Forum - posts
Candidates
- HTML block
- Blogs
- Database comments
- Database entries ? (problematic)
- Assignment submissions ?
Not cleaned at present - only teachers
- most activity descriptions
- course descriptions
- Quiz - questions, feedback or any text by teacher
- Labels
- Resources