...
By default, when content is passed through format_text() with FORMAT_HTML or directly through clean_text(), and consistent cleaning is not turned off, content is sanitised in the most secure way possible.
...
Whenever content goes through the clean_text() function we do sanitise the input by default using the HTML Purifier library. The library will scan the text and will remove anything it does not regard as safe.
...
In addition to the default settings Totara is using these additional configuration options:
Option | Value | Notes |
|---|---|---|
HTML.DefinitionID | moodlehtml | - |
HTML.DefinitionRev | 6 | - |
Cache.SerializerPath | %totaracachedir% | - |
Cache.SerializerPermissions | $CFG->directorypermissions | - |
Core.NormalizeNewlines | false | - |
Core.ConvertDocumentToFragment | true | - |
Core.Encoding | UTF-8 | - |
HTML.Doctype | XHTML 1.0 Transitional | - |
URI.AllowedSchemes | http, https, irc, nntp, news, rtsp, rtmp, teamspeak, mms, mailto, skype, meet, sip, xmpp | - |
Attr.AllowedFrameTargets | _blank | - |
Attr.EnableID | true | Only if option allowid is passed to clean_text |
CSS.Proprietary | true | Allow safe CSS extensions - http://htmlpurifier.org/live/configdoc/plain.html#CSS.Proprietary |
CSS.AllowTricky | true | Since Totara 13.9 and 14.1 |
HTML.SafeObject | true | Available in Totara 13 but removed in Totara 14 |
Output.FlashCompat | true | Available in Totara 13 but removed in Totara 14 |
HTML.SafeEmbed | true | Available in Totara 13 but removed in Totara 14 |
In addition we do allow the following elements and attributes:
Option | Value | Notes |
|---|---|---|
Additional elements | nolink (block) | 1) Original multilang style 2) https://html.spec.whatwg.org/#the-video-element |
Additional attributes | role | All elements. Since Totara 17.16 and 18.3 |
XHTML 1.1 Ruby Annotation Module | - | XHTML 1.1 Ruby Annotation Module, defines elements that indicate short runs of text alongside base text for annotation or pronunciation. |