Dear list,
tl/dr: Todays releases will escape HTML/JS "inactive" in all page editor
contexts per default. If you trust your authors/users you may reactivate
this under "Administration > Editing > ILIAS Page Editor".
Long version:
To a certain extent ILIAS allows to included HTML/JS content in page
editor content, e.g. in learning modules. This was a desired feature in
the early days of ILIAS and enabled authors to extend the features of
the standard editor.
In the context of wikis, this has been deactivated since the beginning
(HTML is escaped in a way it is not interpreted by browsers), for other
parts like blogs and portfolios it is possible to configure this behaviour.
Even if the page editor can log every change in its "page history",
there has been an ongoing discussion between the trade-off of
flexibility and security (possible XSS attacks), see e.g.
https://docu.ilias.de/goto_docu_wiki_wpage_5406_1357.html
Since not everyone is aware of the implications and since this has been
reported as a security issue multiple times now, all page editor
contexts will escape HTML in a way it is not interpreted by browsers
anymore. "Administration > Editing > ILIAS Page Editor" has been
extended to allow the configuration for each context individually.
Please note: This is only related to page editor content. HTML Learning
modules and uploaded SCORM packages always allow to upload HTML and
Javascript content. Do not give permission to create these resources to
users you do not trust. Use the RBAC to set permissions accordingly or
deactivate these components completely.
Best regards
Alexander Killing
Dear all,
We have published security release 5.3.20 and 5.4.10 on GitHub, see
https://github.com/ILIAS-eLearning/ILIAS/releases .
*Important**:* These releases contain important security fixes and it is
recommended to update your system.
Please have a look at the release notes for more information about these
releases https://docu.ilias.de/goto_docu_lm_35.html .
Best regards,
Fabian Wolf
