From d449b246635071cbb77b797101240cf2558af9f7 Mon Sep 17 00:00:00 2001 From: Petr Skoda Date: Tue, 24 Aug 2010 09:14:09 +0000 Subject: [PATCH] MDL-23916 JS now allowed on private /my/ pages again --- blocks/html/block_html.php | 17 +++++++++++++++-- blocks/html/edit_form.php | 8 ++------ blocks/html/lib.php | 12 ++++++++++++ 3 files changed, 29 insertions(+), 8 deletions(-) diff --git a/blocks/html/block_html.php b/blocks/html/block_html.php index de223ba59ae..d565d88dad8 100755 --- a/blocks/html/block_html.php +++ b/blocks/html/block_html.php @@ -92,11 +92,24 @@ class block_html extends block_base { } function content_is_trusted() { + global $SCRIPT; + if (!$context = get_context_instance_by_id($this->instance->parentcontextid)) { return false; } - //find out if this block is on the profile page - we must not allow any XSS there in case admin uses login-as feature - return ($context->contextlevel != CONTEXT_USER); + //find out if this block is on the profile page + if ($context->contextlevel == CONTEXT_USER) { + if ($SCRIPT === '/my/index.php') { + // this is exception - page is completely private, nobody else may see content there + // that is why we allow JS here + return true; + } else { + // no JS on public personal pages, it would be a big security issue + return false; + } + } + + return true; } /** diff --git a/blocks/html/edit_form.php b/blocks/html/edit_form.php index 8621361e8a0..05b52fde06b 100644 --- a/blocks/html/edit_form.php +++ b/blocks/html/edit_form.php @@ -37,13 +37,9 @@ class block_html_edit_form extends block_edit_form { $mform->addElement('text', 'config_title', get_string('configtitle', 'block_html')); $mform->setType('config_title', PARAM_MULTILANG); - // prevent potential XSS on user profile pages - $parentcontext = get_context_instance_by_id($this->block->instance->parentcontextid); - $noclean = ($parentcontext->contextlevel != CONTEXT_USER); - - $editoroptions = array('maxfiles' => EDITOR_UNLIMITED_FILES, 'noclean'=>$noclean, 'context'=>$this->block->context); + $editoroptions = array('maxfiles' => EDITOR_UNLIMITED_FILES, 'noclean'=>true, 'context'=>$this->block->context); $mform->addElement('editor', 'config_text', get_string('configcontent', 'block_html'), null, $editoroptions); - $mform->setType('config_text', PARAM_RAW); // no XSS prevention here, users must be trusted + $mform->setType('config_text', PARAM_RAW); // XSS is prevented when printing the block contents and serving files } function set_data($defaults) { diff --git a/blocks/html/lib.php b/blocks/html/lib.php index 3e4645d779b..69452162a19 100644 --- a/blocks/html/lib.php +++ b/blocks/html/lib.php @@ -24,6 +24,7 @@ */ function block_html_pluginfile($course, $birecord_or_cm, $context, $filearea, $args, $forcedownload) { + global $SCRIPT; if ($context->contextlevel != CONTEXT_BLOCK) { send_file_not_found(); @@ -44,6 +45,17 @@ function block_html_pluginfile($course, $birecord_or_cm, $context, $filearea, $a send_file_not_found(); } + if ($parentcontext = get_context_instance_by_id($birecord_or_cm->parentcontextid)) { + if ($parentcontext->contextlevel == CONTEXT_USER) { + // force download on all personal pages including /my/ + //because we do not have reliable way to find out from where this is used + $forcedownload = true; + } + } else { + // weird, there should be parent context, better force dowload then + $forcedownload = true; + } + session_get_instance()->write_close(); send_stored_file($file, 60*60, 0, $forcedownload); } -- 2.17.1