Data and Content Security
Content can potentially contain malicious elements. It further needs to be protected from unauthorized access. In this section, we shall deal with the security of data and content.
Content Created Within Moodle
Users are able to create content in Moodle either by using the resource editor or by uploading files. A number of settings are available to prevent misuse.
HTML allows the embedding of code that uses explicit EMBED and OBJECT tags. This mechanism has recently gained popularity with sites such as YouTube and Google Maps providing code to be embedded for their users. Potentially malicious code can be put in the embedded script, which is why its support is deactivated by default. To activate it, go to Security | Site policies and locate Allow EMBED and OBJECT tags parameter:
The Moodle editor uses a mechanism called KSES to remove any unwanted HTML elements and attributes. A more secure version called HTML Purifier is currently under development, and can be activated...
