Merged $CFG->allowobjectembed from stable

2025-01-18 22:08:20 +01:00 · 2005-06-05 05:40:24 +00:00 · 2005-06-05 05:40:24 +00:00 · d046ae55ad
commit d046ae55ad
parent b99e8b98fc
4 changed files with 17 additions and 7 deletions
--- a/admin/configvars.php
+++ b/admin/configvars.php
@ -201,6 +201,10 @@ class configvarrss extends configvar {
    $permissions['messaging'] = new configvar (get_string('configmessaging', 'admin'),
        choose_from_menu ($noyesoptions, 'messaging', $config->messaging, '', '', '', true) );

+/// allowobjectembed
+    $permissions['allowobjectembed'] = new configvar (get_string('configallowobjectembed', 'admin'),
+        choose_from_menu ($noyesoptions, 'allowobjectembed', $config->allowobjectembed, '', '', '', true) );
+


 ////////////////////////////////////////////////////////////////////
--- a/lang/en/admin.php
+++ b/lang/en/admin.php
@ -11,6 +11,7 @@ $string['calendarsettings'] = 'Calendar';
 $string['change'] = 'change';
 $string['configallowcoursethemes'] = 'If you enable this, then courses will be allowed to set their own themes.  Course themes override all other theme choices (site, user, or session themes)';
 $string['configallowemailaddresses'] = 'If you want to restrict all new email addresses to particular domains, then list them here separated by spaces.  All other domains will be rejected.  eg <strong>ourcollege.edu.au .gov.au</strong>';
+$string['configallowobjectembed'] = 'As a default security measure, normal users are not allowed to embed multimedia (like Flash) within texts using explicit EMBED and OBJECT tags in their HTML (although it can still be done safely using the mediaplugins filter).  If you wish to allow these tags then enable this option.';
 $string['configallowunenroll'] = 'If this is set \'Yes\', then students are allowed to unenroll themselves from courses whenever they like. Otherwise they are not allowed, and this process will be solely controlled by the teachers and administrators.';
 $string['configallowuserblockhiding'] = 'Do you want to allow users to hide/show side blocks throughout this site?  This feature uses Javascript and cookies to remember the state of each collapsible block, and only affects the user\'s own view.';
 $string['configallowuserthemes'] = 'If you enable this, then users will be allowed to set their own themes.  User themes override site themes (but not course themes)';
--- a/lib/defaults.php
+++ b/lib/defaults.php
@ -4,9 +4,10 @@
 // It defines default values for any important configuration variables

   $defaults = array (
-       'allowemailaddresses'      =>  '',
-       'allowunenroll'            =>  true,
       'allowcoursethemes'        =>  false,
+       'allowemailaddresses'      =>  '',
+       'allowobjectembed'         =>  false,
+       'allowunenroll'            =>  true,
       'allowuserthemes'          =>  false,
       'allowuserblockhiding'     =>  true,
       'allusersaresitestudents'  =>  true,
--- a/lib/weblib.php
+++ b/lib/weblib.php
@ -75,11 +75,11 @@ define('FORMAT_MARKDOWN', '4');   // Markdown-formatted text http://daringfireba
 * @global string $ALLOWED_TAGS
 */
 $ALLOWED_TAGS =
-'<p><br><b><i><u><font><table><tbody><span><div><tr><td><th><ol><ul><dl><li><dt><dd><h1><h2><h3><h4><h5><h6><hr><img><a><strong><emphasis><em><sup><sub><address><cite><blockquote><pre><strike><embed><object><param><acronym><nolink><lang><tex><algebra><mat
-h><mi><mn><mo><mtext><mspace><ms><mrow><mfrac><msqrt><mroot><mstyle><merror><mpadded><mphantom><mfenced><msub><msup><msubsup><munder><mover><munderover><mmultiscripts><mtable><mtr><mtd><maligngroup><malignmark><maction><cn><ci><apply><reln><fn><interval><
-inverse><sep><condition><declare><lambda><compose><ident><quotient><exp><factorial><divide><max><min><minus><plus><power><rem><times><root><gcd><and><or><xor><not><implies><forall><exists><abs><conjugate><eq><neq><gt><lt><geq><leq><ln><log><int><diff><par
-tialdiff><lowlimit><uplimit><bvar><degree><set><list><union><intersect><in><notin><subset><prsubset><notsubset><notprsubset><setdiff><sum><product><limit><tendsto><mean><sdev><variance><median><mode><moment><vector><matrix><matrixrow><determinant><transpo
-se><selector><annotation><semantics><annotation-xml><tt><code>';
+'<p><br><b><i><u><font><table><tbody><span><div><tr><td><th><ol><ul><dl><li><dt><dd><h1><h2><h3><h4><h5><h6><hr><img><a><strong><emphasis><em><sup><sub><address><cite><blockquote><pre><strike><param><acronym><nolink><lang><tex><algebra><math><mi><mn><mo><mtext><mspace><ms><mrow><mfrac><msqrt><mroot><mstyle><merror><mpadded><mphantom><mfenced><msub><msup><msubsup><munder><mover><munderover><mmultiscripts><mtable><mtr><mtd><maligngroup><malignmark><maction><cn><ci><apply><reln><fn><interval><inverse><sep><condition><declare><lambda><compose><ident><quotient><exp><factorial><divide><max><min><minus><plus><power><rem><times><root><gcd><and><or><xor><not><implies><forall><exists><abs><conjugate><eq><neq><gt><lt><geq><leq><ln><log><int><diff><partialdiff><lowlimit><uplimit><bvar><degree><set><list><union><intersect><in><notin><subset><prsubset><notsubset><notprsubset><setdiff><sum><product><limit><tendsto><mean><sdev><variance><median><mode><moment><vector><matrix><matrixrow><determinant><transpose><selector><annotation><semantics><annotation-xml><tt><code>';
+
+if (!empty($CFG->allowobjectembed)) {
+    $ALLOWED_TAGS .= '<embed><object>';
+}

 /**
 * Allowed protocols - array of protocols that are safe to use in links and so on
@ -2900,6 +2900,10 @@ function print_textarea($usehtmleditor, $rows, $cols, $width, $height, $name, $v
    }

    if ($usehtmleditor) {
+
+        // cleanup bad html that may have made it to the db
+        $value = clean_text($value);
+
        if (!empty($courseid) and isteacher($courseid)) {
            echo ($scriptcount < 1) ? '<script type="text/javascript" src="'. $CFG->wwwroot .'/lib/editor/htmlarea.php?id='. $courseid .'"></script>'."\n" : '';
        } else {