← Back to team overview

mahara-contributors team mailing list archive

  1. mahara-contributors team
  2. Mailing list archive
  3. Message #13046

[Bug 1213994] Re: Additional html does not always work

  Thread PreviousDate PreviousThread Next 
There was an issue with security where if a site was compromised via a
web browser then a hacker could easily add all manner of bad code in via
the interface in the administration section. so it was decided to pass
all code from additional html system through clean html before
displaying.

Then it was decided to remove the administration interface for
adding/updating the code to display as that was an even safer option. so
now a site administrator can only add code for additional html directly
to the database to be displayed.

So now it is probably ok to allow that code to display as expected,
rather than go through clean html.

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contrib members
https://bugs.launchpad.net/bugs/1213994

Title:
  Additional html does not always work

Status in Mahara ePortfolio:
  Confirmed

Bug description:
  I have got an email request explaining the problem:

  "...But the problem is when I add a sample reference to Additional
  HTML (Within HEAD), e.g.

  <link href="some.css" type="text/css" rel="stylesheet">
  it doesn't show inside HEAD element at all. Do you have an idea what to do  to make it show inside HEAD element?"

  It seems that clean_html parsing applied to Additional HTML removes
  type of content similar to above. And actually make the Additional
  HTML feature useless, as it seems ignore everything apart of very
  simple html.  I suggest not to do clean_html for this kind of output.
  The reason is the feature is used by site admins only and simply makes
  easier to add extra content without modifying the theme code. I think
  site admin should take all responsibility for the content as it is the
  same as adding it directly to theme code itself. BTW, similar feature
  in Moodle does not apply clean html parsing to output as well.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1213994/+subscriptions

References

  Thread PreviousDate PreviousThread Next