Feature Wiki

Information about planned and released features

Tabs

Abandon HTML/Javascript in Page Editor Text Paragraphs

1 Reasons to Abandon Feature

HTML and Javascript interpretation in text paragraphs is a constant source of security concerns. Currently the page editor administration allows to enable/disable HTML/JS interpretation for all contexts. Some admins may not be aware of the security implications. There has been a discussion for alternative approaches to support JS/HTML content, mainly on the page Higher level of security for HTML content. However there is currently not much progress in this discussion.

Hopefully removing the support in the text paragraphs will put more dynamics on the development of a secure approach like subdomain isolation.

Changes:

  • The settings "Enable HTML/Javascript" under "Administation > Layout and Navigation > Editing" will be removed.
  • HTML will be escaped and not interpreted by the browser anymore. 

2 Technical Information

No technical issues.

3 Contact

4 Funding

Removing the feature from the ILIAS code base might need funding. If you are interest in funding this request, please add your name and institution to this list.

  • ...

5 Discussion

Use the following discussion section to express your objections against this request or your consent to get rid of this feature.

Kunkel, Matthias [mkunkel], 11 MAY 2021 : I see the implications of this request and support the suggestion (Side note: we should restrict HTML for TinyMCE as well...). But we have to communicate this fundamental change early and clearly as it has a high impact on a lot of installations. HTML has often been used in the past to beautify ILIAS pages - especially before we have introduced column layout, tile view and some other layout improvements. The content of all these pages has to be updated and purified from HTML – which needs a lot of human resources...

JourFixe, ILIAS [jourfixe], 17 MAY 2021 : To improve the security of ILIAS we accept this request and abandon HTML/JS in all page editor contexts with ILIAS 8. HTML and JS code in pages created with the ILIAS page editor will be escaped and presented in brackets (output escaping). We will notify users over known channels (admin list and Twitter) about this change to give them enough time for updating the page content.

admichel, 21 MAY 2021: I understand this whish from a technical perspective. However as a Content Creator who needs to forfill the most exotic whishes and needs of scientist... this is plain bad news. If you want to encourage people to skip ILIAS completly as a content creation tool: This is the way to do it. It may be useful to restrict HTML for most Users - But it needs to be available for special purposes and roles.

Schmitt, Pascal [pascal.schmitt], 5.7.21
The risk assessment is currently left to the institution. It can decide whether to allow html or not. This should  remain the case in the future. I am therefore against removing the html support.

Seibt, Alina [alina.seibt], 24 JAN 2022: by abandoning this feature some scenarios won't be feasible any longer: while you have multiple ways to customize your pages with the content style, this won't work for any popular content design: for example you cannot add anchors to pages (category, course, group...) and "back to top"-buttons etc. Next question: will non breakable spaces work without html/java? I'd like to use html in paragraphs, especially when the page editor cannot offer these functions.

Kaiser, Sascha [skaiser] From a user perspective, I think a complete removal of the HTML functions is catastrophic. Especially in projects we work a lot with this option. The option of activation/deactivation should at least be left to the institutions.

Killing, Alexander [alex], 31 May 2023: HTML functions are not removed completely. You are able to create HTML media objects, if activated in the administration. Mixing HTML in usual text paragraphs didn't allow to cleanly separate the problematic HTML from the rest of the content  and it did not allow to enable concepts favoured by the TB as subdomain isolation, see Higher level of security for HTML content. Currently the IRSS does not support full directory coverage (afaik), so this is a missing part, if it should foster subdomain isolation in any way. As a maintainer of the media object component, I support additional steps necessary to make them usable. There are several possible steps forward, see Media Pools and Media Objects.

6 Implementation

Settings removed, behaviour changed according to JF decision 17 May 2021.

Removed Testcases

The following testcases have been removed from Testrail or modified because the feature is no longer part of the ILIAS core.

  • C347 was removed.

Approval

Approved at {date} by {user}.

Last edited: 31. May 2023, 13:05, Killing, Alexander [alex]