Content sanitisation
Totara 13 changes to content sanitisation
In Totara 13 the content sanitisation approach changed compared to the previous versions. For more information about the changes please read Totara 13 changes to content sanitisation.
When does content get sanitised?
Content which could potentially contain insecure parts (i.e. Javascript, HTML, etc.) should always be sanitised before outputting the content on the browser. There are some exceptions where input is cleaned but to avoid potential unwanted data loss this is not common practice.
By default, when content is passed through format_text() with FORMAT_HTML or directly through clean_text(), and consistent cleaning is not turned off, content is sanitised in the most secure way possible.
When the setting Disable consistent cleaning is turned on the platform will be less secure and will allow privileged users to enter a wide range of risky content. Please refer to Totara 13 changes to content sanitisation to read about the impact of this setting.
HTMLPurifier
Whenever content goes through the clean_text() function we do sanitise the input by default using the HTML Purifier library. The library will scan the text and will remove anything it does not regard as safe.
Please see the HTML Purifier website or documentation for more information.
The default settings can be explored on the HTML Purifier website, where you will also find a list of all elements and attributes allowed by default.
In addition to the default settings Totara is using these additional configuration options:
| Option | Value | Notes |
|---|---|---|
| HTML.DefinitionID | moodlehtml | - |
| HTML.DefinitionRev | 6 | - |
| Cache.SerializerPath | %totaracachedir% | - |
| Cache.SerializerPermissions | $CFG->directorypermissions | - |
| Core.NormalizeNewlines | false | - |
| Core.ConvertDocumentToFragment | true | - |
| Core.Encoding | UTF-8 | - |
| HTML.Doctype | XHTML 1.0 Transitional | - |
| URI.AllowedSchemes | http, https, irc, nntp, news, rtsp, rtmp, teamspeak, mms, mailto, skype, meet, sip, xmpp | - |
| Attr.AllowedFrameTargets | _blank | - |
| Attr.EnableID | true | Only if option allowid is passed to clean_text |
| CSS.Proprietary | true | Allow safe CSS extensions - http://htmlpurifier.org/live/configdoc/plain.html#CSS.Proprietary |
| CSS.AllowTricky | true | Since Totara 13.9 and 14.1 |
| HTML.SafeObject | true | Available in Totara 13 but removed in Totara 14 |
| Output.FlashCompat | true | Available in Totara 13 but removed in Totara 14 |
| HTML.SafeEmbed | true | Available in Totara 13 but removed in Totara 14 |
In addition we do allow the following elements and attributes:
| Option | Value | Notes |
|---|---|---|
| Additional elements | nolink (block) tex (inline) algebra (inline) lang (block)1) video (block)2) audio (block)3) source4) track5) | 1) Original multilang style 2) https://html.spec.whatwg.org/#the-video-element3) https://html.spec.whatwg.org/#the-audio-element 4) https://html.spec.whatwg.org/#the-source-element 5) https://html.spec.whatwg.org/#the-track-element |
| Additional attributes | role | role is only allowed if allowrole option is passed and only for those tags defined in the option |
| XHTML 1.1 Ruby Annotation Module | - | XHTML 1.1 Ruby Annotation Module, defines elements that indicate short runs of text alongside base text for annotation or pronunciation. |