The problem is that HTML Purifier is not compatible with Markdown,
that means we cannot sanitise Markdown texts before editing.
Luckily Markdown has to use plain text editor which does not have
XSS problems.
The only tiny downside is that Markdown cannot be allowed
in "trust text" areas any more.
* The file file_remove_editor_orphaned_files should take into account URL that
have been embedded in a tag content instead of an attribute (like src attribute)
* This will fix issue with inserting H5P content in calendar events.
Before this commit, is_empty() was being applied before returning
the mock response. But we want to be able to mock the empty response
for some tests, hence moving the condition to null/isset, that is
the value that array_pop() returns where there aren't more elements
in the array.
With that change performed, we can test lti_load_cartridge() with
empty responses, hence adding a new test for that.
After cbf9dfb the CURLOPT_FILE no longer behaves as expected. All
redirect responses are appended to the same stream resource. This fix
reverts back to the old behavior by setting the stream pointer back to
the beginning for each subsequent redirect.
This also implements the functionality for SCORM packages, which may
have SVG images embedded within their content which require loading
directly (and are only created by users with appropriate risk flag).
It was a mistake to force filtering of SVG files in MDL-55243. It can
easily lead to corrupted SVG files.
The patch removes that forced filtering and clarifies the inline comment
of what and why we need to do.
The security problem here was that only the first and the last URL in
the redirect chain was checked by the security helper. This patch forces
the curl wrapper to always emulate cURL redirects and check every
redirect URL in the chain before actually visiting it.
Augument all installed plugin's security helper if there is any.
Plugins function has to be defined as plugintype_pluginname_security_helper in pluginname/lib.php file.
The code has been using terms that were found exclusive and potentially
derogatory. Fixing the terms and making the variables and methods
consistent with the related admin settings.
It was found out that in certain situations there may be some content
in to output handlers buffers. Let's allow that to happen given that:
* default handler's buffer is not sent as a part of the file and an
error is reported into the server log.
* other handlers' buffer is sent with the assumption that it is required
for the correct serving of the file.
Currently, PHP getimagesize method doesn't support SVG images.
As some features, such as badges, processs and optimise the images
before using them, a new filetype group has been created to exclude
SVG from there: optimised_image.
SVG can't be removed from web_image because then users won't be
able to add SVG images to their courses using labels, pages...
When you download a file directly from a Moodle form submit button,
the submit button disables when you click it, but you remain on that
page so we need to re-enable the button.
This commit causes it to re-enable once the file download finishes,
setting a temporary cookie to indicate this to the JavaScript code.
It also adds a method to disable the system on a given form by
setting data-double-submit-protection="off".
$includetoken parameter type has been changed. Now supports:
boolean: False indicates to not include the token, true indicates to generate a token for the current user ($USER).
integer: Indicates to generate a token for the user whose id is the integer value.
Also added 'history' filearea for the history report where files
will be copied to if the site has enabled this feature.
We will also be storing files in the module context, not course,
so that check was removed.
Support use of a token for access to pluginfile.php when rewriting text
content.
This is primarily intended for notifications where the user is unlikely
to be logged into Moodle when receiving the notification.