Content sanitisation

Totara 13 changes to content sanitisation

In Totara 13 the content sanitisation approach changed compared to the previous versions. For more information about the changes please read Totara 13 changes to content sanitisation.

When does content get sanitised?

Content which could potentially contain insecure parts (i.e. Javascript, HTML, etc.) should always be sanitised before outputting the content on the browser. There are some exceptions where input is cleaned but to avoid potential unwanted data loss this is not common practice. 

By default, when content is passed through format_text() with FORMAT_HTML or directly through clean_text(), and consistent cleaning is not turned off, content is sanitised in the most secure way possible.

When the setting Disable consistent cleaning is turned on the platform will be less secure and will allow privileged users to enter a wide range of risky content. Please refer to Totara 13 changes to content sanitisation to read about the impact of this setting.

HTMLPurifier

Whenever content goes through the clean_text() function we do sanitise the input by default using the HTML Purifier library. The library will scan the text and will remove anything it does not regard as safe.

Please see the HTML Purifier website or documentation for more information.  

The default settings can be explored on the HTML Purifier website, where you will also find a list of all elements and attributes allowed by default. 

In addition to the default settings Totara is using these additional configuration options:

OptionValueNotes
HTML.DefinitionIDmoodlehtml-
HTML.DefinitionRev6-
Cache.SerializerPath%totaracachedir%-
Cache.SerializerPermissions$CFG->directorypermissions-
Core.NormalizeNewlinesfalse-
Core.ConvertDocumentToFragmenttrue-
Core.EncodingUTF-8-
HTML.DoctypeXHTML 1.0 Transitional-
URI.AllowedSchemeshttp, https, irc, nntp, news, rtsp, rtmp, teamspeak, mms, mailto, skype, meet, sip, xmpp-
Attr.AllowedFrameTargets_blank-
Attr.EnableIDtrueOnly if option allowid is passed to clean_text
CSS.ProprietarytrueAllow safe CSS extensions - http://htmlpurifier.org/live/configdoc/plain.html#CSS.Proprietary
CSS.AllowTrickytrueSince Totara 13.9 and 14.1
HTML.SafeObjecttrue

Available in Totara 13 but removed in Totara 14

Output.FlashCompattrue

Available in Totara 13 but removed in Totara 14

HTML.SafeEmbedtrue

Available in Totara 13 but removed in Totara 14


In addition we do allow the following elements and attributes:

OptionValueNotes
Additional elementsnolink (block)
tex (inline)
algebra (inline)
lang (block)1)
video (block)2)
audio (block)3)
source4)
track5)

1) Original multilang style

2) https://html.spec.whatwg.org/#the-video-element
3) https://html.spec.whatwg.org/#the-audio-element
4) https://html.spec.whatwg.org/#the-source-element
5) https://html.spec.whatwg.org/#the-track-element
Additional attributesrolerole is only allowed if allowrole option is passed and only for those tags defined in the option
XHTML 1.1 Ruby Annotation Module-XHTML 1.1 Ruby Annotation Module, defines elements that indicate short runs of text alongside base text for annotation or pronunciation.