16 April 2010, 6:08

From my reading of the documentation and Googling all this, Mahara supports a certain range of embedding of html objects (based on the hostname of the object, and other such things).

Is there a library of code for embedding other objects that aren't part of the core?

e.g. Vemo or scribd.com...etc

17 April 2010, 0:37

sauj,

HTML code embedded in Mahara is run through a filter to remove potentially-malicious code. You will be able to embed content from additional services, but you would have to develop a custom filter for the HTML purifier. Look in lib/htmlpurifiercustom for some examples. At some point, we would like to have a repository for users like yourself to submit additional filters, and even include some of them in Mahara - but that hasn't happened yet.

Hope that helps

Cheers,

Evan

07 May 2010, 10:01

This is really disappointing. I'm so used to having sensible control over my filters from Drupal or even Moodle - I understand the security concerns but it is really crippling what we can do with Mahara. Why not allow at least embedding via HTML files where no database commands can sneak in?

I could probably write my own purifier code for Viddler or Drop.io that we use the most but we're on a hosted service that doesn't allow custom code and there are too many services we'd like to embed anyway to make this into a flexible system.

09 May 2010, 22:38

Hi Dominik,

It wouldn't be too hard to replace htmlpurifier with a different filter of your choice, because it's all done in one function (the clean_html function in lib/web.php).

Alternatively if you still want to use htmlpurifier for most of the site, and it's only on a particular page that you want to do something different, then in many cases you'll find that the call to clean_html occurs in a template, so you may be able to do this by editing or overriding just that one template.

We don't really want to change the default behaviour though, because we'd rather that admins made a deliberate choice to have an insecure site!

R.