This "feature" was used to partially eliminate XSS attacks on vulnerable code. Developers MUST use clean_text() on HTML text fragments only, it can not be used on random html tag attributes.
This change may simplify a bit exploiting of vulnerable code, but every XSS cheat sheet contains information how to work around this outdated anti-XSS measure.
Please note this change fixes many problems with valid uses of language= or onXXXXX= such as in urls, tex, code samples, etc.
incorrect PAGE init - it should be done at the very end; redirect() should not use OUTPUT before PAGE init; SITEID should be deprecated in favour of $SITE->id (this is going to cause troubles in tenant switching in CLI, cron and tests); missing "global $SITE"'; minor coding style issues; PHPDocs; it also helps with merging/testing of multitenant patch
The new HTMLPurifier finally caches the schema properly eliminating both extra CPU cycles and disk writes. The repeated dir exists tests might cause problems on NFS shares.
Bug fixes:
* fixed broken flash resizing via URL
* upgraded Flowplayer
* fixed invalid context in format_text()
* all media related CSS moved from themes to filter and resources
* fixed automatic pdf resizing in resources
Changes:
* reworked filter_mediaplugin system settings - grouped by player type instead of individual extensions, added more information
* improved regex url matching
* removed old unused players, Eolas fix and UFO embedding
* image embedding moved to filter_urltolink
* new Flowplayer embedding API
* accessibility and compatibility tweaks in Flowplayer
* SWF embedding now works only in trusted texts, it is now enabled by default (works everywhere if "Allow EMBED and OBJECT tags" enabled)
* new default video width and height
New features:
* automatic Flash video resizing using information from video metadata
* Flash HD video support (*.f4v)
* Flash video embedding with HTML5 fallback - compatible with iOS and other mobile devices
* Vimeo embedding
* no-cookie YouTube site supported
* HTML 5 audio and video with multiple source URLs and QuickTime fallback
* more video and audio extensions in filelib.php
* MP3 player colours customisable via CSS in themes
* nomediaplugin class in a tag prevents media embedding
This commit:
a) moves modinfo code into new library modinfolib.php
b) uses classes instead of stdClass objects, allowing a huge amount of documentation (and IDE completion)
c) adds hooks so that plugins other than forum can display messages like forum's 'unread', and plugins other than label can display html (apart from/as well as their view.php link) on the course view page
d) removes current hacks for forum and label (mainly in print_section but also across the code), replacing with new 'content' and similar variables [this is the reason for the changes in blocks, etc]
e) reduces size of modinfo in database (only when rebuilt) by excluding empty fields
The change is intended to be backward compatible and does not affect the format of modinfo in database.
Major tasks undertaken in this patch:
* New format_text argument, overflowdiv.
* New page layout Report.
* Review of all format_text calls.
* Added support for the report layout to all themes.
* Changed forum post display from tables to divs.
