Dear list members,
a security issue has been identified (big thanks to Nicolas Schäfli) and fixed for ILIAS versions >= 5.0.
According to the Jour Fixe decision the responsible component maintainer introduced some changes regarding the handling of HTML files uploaded as media objects.
Jour Fixe, FEB 13, 2017: "To patch this problem we decided to prohibit the upload of HTML and the interpretation of HTML in media objects for 5.0 to 5.2."
If *.html files are uploaded they are always renamed to *.sec now (similar to the handling of executables). The rendering has been deactivated. Existing *.html files (uploaded before the patch) are not rendered anymore, but there isn't a concept of deleting/renaming these files, yet.
Best regards, Michael Jansen
on behalf of the ILIAS e.V. and the Technical Board