Content sanitisation

Totara 13 changes to content sanitisation

In Totara 13 the content sanitisation approach changed compared to the previous versions. For more information about the changes please read Totara 13 changes to content sanitisation.

When does content get sanitised?

Content which could potentially contain insecure parts (i.e. Javascript, HTML, etc.) should always be sanitised before outputting the content on the browser. There are some exceptions where input is cleaned but to avoid potential unwanted data loss this is not common practice. 

By default, when content is passed through format_text() with FORMAT_HTML or directly through clean_text(), and consistent cleaning is not turned off, content is sanitised in the most secure way possible.

When the setting Disable consistent cleaning is turned on the platform will be less secure and will allow privileged users to enter a wide range of risky content. Please refer to Totara 13 changes to content sanitisation to read about the impact of this setting.

HTMLPurifier

Whenever content goes through the clean_text() function we do sanitise the input by default using the HTML Purifier library. The library will scan the text and will remove anything it does not regard as safe.

Please see the HTML Purifier website or documentation for more information.  

The default settings can be explored on the HTML Purifier website, where you will also find a list of all elements and attributes allowed by default. 

In addition to the default settings Totara is using these additional configuration options:

Option

Value

Notes

Option

Value

Notes

HTML.DefinitionID

moodlehtml

-

HTML.DefinitionRev

6

-

Cache.SerializerPath

%totaracachedir%

-

Cache.SerializerPermissions

$CFG->directorypermissions

-

Core.NormalizeNewlines

false

-

Core.ConvertDocumentToFragment

true

-

Core.Encoding

UTF-8

-

HTML.Doctype

XHTML 1.0 Transitional

-

URI.AllowedSchemes

http, https, irc, nntp, news, rtsp, rtmp, teamspeak, mms, mailto, skype, meet, sip, xmpp

-

Attr.AllowedFrameTargets

_blank

-

Attr.EnableID

true

Only if option allowid is passed to clean_text

CSS.Proprietary

true

Allow safe CSS extensions - http://htmlpurifier.org/live/configdoc/plain.html#CSS.Proprietary

CSS.AllowTricky

true

Since Totara 13.9 and 14.1

HTML.SafeObject

true

Available in Totara 13 but removed in Totara 14

Output.FlashCompat

true

Available in Totara 13 but removed in Totara 14

HTML.SafeEmbed

true

Available in Totara 13 but removed in Totara 14



In addition we do allow the following elements and attributes:

Option

Value

Notes

Option

Value

Notes

Additional elements

nolink (block)
tex (inline)
algebra (inline)
lang (block)1)
video (block)2)
audio (block)3)
source4)
track5)

1) Original multilang style

2) https://html.spec.whatwg.org/#the-video-element
3) https://html.spec.whatwg.org/#the-audio-element
4) https://html.spec.whatwg.org/#the-source-element
5) https://html.spec.whatwg.org/#the-track-element

Additional attributes

role
aria-*

All elements. Since Totara 17.17 and 18.4

XHTML 1.1 Ruby Annotation Module

-

XHTML 1.1 Ruby Annotation Module, defines elements that indicate short runs of text alongside base text for annotation or pronunciation.