Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Totara 13 changes to content sanitisation

In Totara 13 the content sanitisation approach changed compared to the previous versions. For more information about the changes please read Totara 13 changes to content sanitisation.

When does content get sanitised?

Content which could potentially contain insecure parts (i.e. Javascript, HTML, etc.) should always be sanitised before outputting the content on the browser. There are some exceptions where input is cleaned but to avoid potential unwanted data loss this is not common practice. 

By default, when content is passed through format_text() with FORMAT_HTML or directly through clean_text(), and consistent cleaning is not turned off, content is sanitised in the most secure way possible.

When the setting Disable consistent cleaning is turned on the platform will be less secure and will allow privileged users to enter a wide range of risky content. Please refer to Totara 13 changes to content sanitisation to read about the impact of this setting.

HTMLPurifier

Whenever content goes through the clean_text() function we do sanitise the input by default using the HTML Purifier library. The library will scan the text and will remove anything it does not regard as safe.

Please see the HTML Purifier website or documentation for more information.  

The default settings can be explored on the HTML Purifier website, where you will also find a list of all elements and attributes allowed by default. 

In addition to the default settings Totara is using these additional configuration options:

OptionValueNotes
HTML.DefinitionIDmoodlehtml-
HTML.DefinitionRev6-
Cache.SerializerPath%totaracachedir%-
Cache.SerializerPermissions$CFG->directorypermissions-
Core.NormalizeNewlinesfalse-
Core.ConvertDocumentToFragmenttrue-
Core.EncodingUTF-8-
HTML.DoctypeXHTML 1.0 Transitional-
URI.AllowedSchemeshttp, https, irc, nntp, news, rtsp, rtmp, teamspeak, mms, mailto, skype, meet, sip, xmpp-
Attr.AllowedFrameTargets_blank-
Attr.EnableIDtrueOnly if option allowid is passed to clean_text
CSS.ProprietarytrueAllow safe CSS extensions - http://htmlpurifier.org/live/configdoc/plain.html#CSS.Proprietary
CSS.AllowTrickytrueSince Totara 13.9 and 14.1
HTML.SafeObjecttrue

Available in Totara 13 but removed in Totara 14

Output.FlashCompattrue

Available in Totara 13 but removed in Totara 14

HTML.SafeEmbedtrue

Available in Totara 13 but removed in Totara 14


In addition we do allow the following elements and attributes:

OptionValueNotes
Additional elementsnolink (block)
tex (inline)
algebra (inline)
lang (block)1)
video (block)2)
audio (block)3)
source4)
track5)

1) Original multilang style

2) https://html.spec.whatwg.org/#the-video-element
3) https://html.spec.whatwg.org/#the-audio-element
4) https://html.spec.whatwg.org/#the-source-element
5) https://html.spec.whatwg.org/#the-track-element
Additional attributesrole
aria-*

All elements. Since Totara 17.16 and 18.3

XHTML 1.1 Ruby Annotation Module-XHTML 1.1 Ruby Annotation Module, defines elements that indicate short runs of text alongside base text for annotation or pronunciation.
  • No labels