justinhunt / moodle-filter_poodll Goto Github PK

We just recently noticed that responsiveiframe.js keeps increasing the poodll dialog height
immediately after any of the poodll buttons is clicked and the respective poodll dialog is displayed.
I have not changed the browser's window size, it just happens, endlessly, on its own.
I must imagine we are the only ones getting this, as it prevent the users from being able to work at all.

Hi,

When on capabilities screen (admin/roles/check.php?contextid=), I get the above message:
Invalid get_string() identifier: 'poodll:comparetext' or component 'filter_poodll'.

Moodle version: 3.9
Pooddl version: 3.1.39 (Build 2020122200)

Hello,
We are having problems with our students. They are sharing their user and password in Moodle to watch a recorded session by BigBlueButton. Could your tool limit the time of reproducing a recorded session per user?

Thanks in advance

When attempting to assign a grade to an Assignment in an LMS site where Poodll is installed but not subscribed to site errors out with:

Notice: Undefined property: stdClass::$filter_poodll_usecourseid in /var/www/data/default/lms/filter/poodll/classes/poodlltools.php on line 523
Skip to main content

The line of code:

  if ($CFG->filter_poodll_usecourseid) {
  	$courseid = $COURSE->id;
  } else {
  	$courseid = -1;
  }

Assumes poodll services are available -- this should be caught either with an isset($CFG->filter_poodll_usecourseid) or some other logic check in the workflow.

The grade is assigned once the error is accepted.

After the update to poodll 3.0.38(Build 2017041703) the html5 recording stopped working.

As before, recording doesn't work in Firefox (Ubuntu), but now it also stopped working in Chrome (57) Ubuntu. In the console I get

first.js:82 media error 
Object {name: "TrackStartError", message: "", constraint: "", toString: function}
onMediaError	@	first.js:82

While making a recording using poodll, Chrome has a red dot on the tab indicating that poodll is recording. Sometimes, after making a recording (possibly when you submit with an error), the light stays on, even though nothing should be recording and microphone/webcam should be inactive

Hello,
I found a deprecated call to coursemodule_visible_for_user l.755 of datasetmanager.php that then trigger a codingerror.
This can be replaced by info_module::is_user_visible($mod)
Sincerely
Celine

Hi Justin,

the widely used Essential theme for Moodle uses in the current version an option to enable/disable FitVids - default it is enabled.

The Essential description:
Enable FitVids (fitvidsjs.com) to make your embedded videos responsive. If FitVids is on and you want a video to be excluded then add 'class="fitvidsignore"' to the 'iframe' tag in the HTML mode of the editor. For example: '<iframe class="fitvidsignore" width="420" height="315" src="http://www.youtube.com/embed/enmEmym85xc" frameborder="0" allowfullscreen=""></iframe>'.

If FitVids is enabled, there are some problems with the PoodLL recorder - see old bug report. The recorder has an unusual size and overlaps sometimes important Moodle elements (e.g. if you grading PoodLL submissions). The old bug report describes a solution for that:

If embedded flash objects still have the issue (say as a part of a label) then add the 'fitvidsignore ' class to the container (use HTML mode in the editor) -> https://github.com/davatron5000/FitVids.js.

I could disable FitVids in the theme settings, but it provides responive design functionality for other video players. So it would be easier if you add the class="fitvidsignore" to the surrounding flash container in the filter code.

Thanks, Stefan

The basic jist is that if you make a recording in a textarea somewhere, save, go back in to edit the textarea, and while you are editing it, the conversion/transcoding completes, when you save, the converted file will be overwritten with the poodll placeholder.

This is because when you click to edit, it makes 'copies' of the files in the then current state as the user drafts area, and then when you save, it copies those draft files back into the main file records for the textarea, even if they were overwritten elsewhere in between.

Specific steps to reproduce:

1. As a student, go into a submission and record a video as you normally would. Note that it has to be pretty long for this to work (I did about 10 minutes).
2. Save your submission, and if you are doing it right, you will see the Poodle converting thumbnail.
3. Immediately click to edit the submission.
4. Just sit for a few minutes. In another browser you can view the submission as a teacher to see when the temp video is replaced with the real video (usually under a minute).
5. Back in the student view, save your submission again.

Normally this would be the desired behavior when working with files, so this isn't a bug with Moodle's handling IMO, but I think because of the very specific way PoodLL works, there would be a fix available. Since PoodLL works with unique file names, I think it would safe/desireable to overwrite all placeholder instances of a file with the particular file name, including those in draft areas, with the proper contenthash and filesize.

There is a call to shell_exec() function convert_with_ffmpeg :
https://github.com/justinhunt/moodle-filter_poodll/blob/poodll3/classes/poodlltools.php#L1295

The string that composes the command executed is constructed from variables from different sources. We should add normalization / validation of each of them to prevent any injections.

If I'm reading the release right, whiteboards are now supported in moodle 2.9. However, we are seeing the javascript error: "Uncaught Error: No define call for filter_poodll/react-with-addons" and the whiteboards fail to load.

This is in moodle 2.9.4 and the latest poodll from git (29+ BRANCH).

Hello,
l.717 of classes/dataset_manager.php call to get_all_mods
can be replaced by
$mods = get_fast_modinfo($courseorid)->get_cms();
$modnames = get_module_types_names();
$modnamesplural = get_module_types_names(true);
$modnamesused = get_fast_modinfo($courseorid)->get_used_module_names();

Sincerely

in https://github.com/justinhunt/moodle-filter_poodll/blob/master/poodllresourcelib.php#L3434 , raw values are set for params, which does not work in French, as

filter_poodll.php:$string['recui_echo'] = 'Suppression d\'écho';

contains an apostrophe, which is considered a string delimiter in JS. Therefore, running the code as-is results in a JS error, and no recorder is displayer.

I've replaced $value by urlencode($value) in the above mentioned place in the code, and it seems to fix the problem.

Hi Justin,

Is it possible for all poodll extensions to follow moodle branches names ? In my case, I have to deploy moodle in an automatic way and scripts checkout all plugins used each time we want to upgrade. It could be really nice if MOODLE_29_STABLE, MOODLE_30_STABLE and MOODLE_31_STABLE branches exist in your different repos.

Thanks

Registered for PoodLL, countdown timers work in the browser on a PC. However, getting the registration request when viewing on the mobile browser.

Hello.

We have an automated vulnerability scanner then checks our Moodle and other system.

I has raised the below as a possible issue. Could this please be looked into?

Location Of Vulnerability

moodleurl/filter/poodll/flowplayer/flowplayer-3.2.10.swf

Description
Adobe Flash content is commonly invoked with a number of configuration parameters known as FlashVars. Although Flashvars are typically supplied within the body of the HTML document, it is also possible to supply them directly via the query string (e.g moive.swf?flashvar1=value&flashvar2=value2).
If a Flashvar value is passed to a function that performs navigation or JavaScript execution, it may be possible to perform a Cross Site Scripting attack (XSS).
Cross-Site Scripting
Reflected XSS vulnerabilities are typically exploited by embedding malicious script code within links to the application. The attacker would then attempt to coerce the user into following the maliciously crafted link via a social engineering attack such as a Phishing email.
Upon clicking the malicious link the embedded script code is executed within user's web browser.
XSS vulnerabilities could by exploited to:
• Read user session cookies and submit them to the attacker. The attacker can then hijack the users session with the application.
• Access sensitive information stored within the body of the page such as HTML forms (or the entire page). The attacker could exploit this to read data protected by the Same Origin policy.
• Perform "Onsite Request forgery". Since JavaScript executes within the context of the victim user it is possible to perform any action the user can perform. The attacker could exploit XSS flaws to invoke dangerous functions such as "transfer funds".
• Inject JavaScript to log keystrokes
• Deploy exploit frameworks (e.g. BeEF, XSSShell, XSS Harvest) to conduct maintain control of the users session even if the user browses away from the affected page.
• Attack the users browser using browser exploits.
• Deploy Trojan programs exploiting the trust a user may have in an application.
• Redirect the user to a malicious website.
• Deface the application.
Read more on XSS.
The following XSS vulnerabilities were idetified
The ActionScript Function ExternalInterface.call is used to execute JavaScript within the web browser. If unfiltered user controllable input is passed to this function, it may be possible to perform a Cross Site Scripting attack.

Solution

Strictly Filter User Input
Data passed to the SWF application via FlashVar variables should be strictly validated to ensure it contains only known good data.

Firstly I only installed mod_readaloud, it showed errors as above, then I also installed and configured filter_poodll, the errors still exsits.
I'm running Moodle 3.10 on Nginx. Is there some rewrite rules I should add to the nginx site conf file?

Hi,

I'm just testing this plugin and getting this issue when I attempt to use my phone running iOS 10:

After recording, press insert.

Your OS version is too low.

Android requires version 4 or greater.

iOS requires version 6 or greater.

While "always use HTML5" is selected for the recorder into the filter settings the audio recorder doesn't appear anywhere, there's juste a button "record or choose a file".
When clicked this button only allows to choose an audio file in the client file system.

There is no problem when the flash recorder is activated, it takes place instead of the previously mentionned button and works well.

Test context :
Moodle 2.9.3+ (test site only available into a local network)
All latest version from poodll plugins set installed (poodll filter : version 2.8.3(Build 2015121104))

In the recorder (in the submission) there is a confusing button "Save". It would be better to rename it to "Upload". The reason is that there is another button "Save changes" in the submission.

The language string is filter_poodll -> recui_save

I renamed it my local installation to "Upload audio/video to the system"

I have been using the flashcard widget in the POODL filter plugin with good results, but there are two words that are hard-coded in the code: 'Back' and 'Next' are declared as text constants (for 'backButton' and 'nextButton') in the file flashcards.lzx.js.

Not being a programmer, I naively think it might be possible to change those two into variables, so that they would be declared in the corresponding PHP file within the LANG folder, and be accesible to Moodle translators in AMOS.

Being such a highly downloaded plugin, I think the POODLL filter would improve if all the strings used were translatable in AMOS. This plugin's current 128 English language strings are currently translated in AMOS into Finnish (fi) , French (fr), German (de) , Serbian (Cyrillic) (sr_cr) , Serbian (Latin) (sr_lt) and Spanish - Mexico (es_mx).

Thanks in advance for your help.
I have been using the flashcard widget in the POODL filter plugin with good results, but there are two words that seem to be hard-coded in the code: 'Back' and 'Next' are declared as text constants (for 'backButton' and 'nextButton') in the file flashcards.lzx.js.

Not being a programmer, I naively think it might be possible to change those two into variables, so that they would be declared in the corresponding PHP file within the LANG folder, and be accesible to Moodle translators in AMOS.

Being such a highly downloaded plugin, I think the POODLL filter would improve if all the strings used were translatable in AMOS. This plugin's current 128 English language strings are currently translated in AMOS into Finnish (fi) , French (fr), German (de) , Serbian (Cyrillic) (sr_cr) , Serbian (Latin) (sr_lt) and Spanish - Mexico (es_mx).

Thanks in advance for your help.

There is general selector in styles which can cause problems with other plugins
https://github.com/justinhunt/moodle-filter_poodll/blob/poodll3/styles.css#L2465

That .marker i is bit too general/wide rule especially for Moodle which has habit of having variations with various selectors with it's numerous plugins and coding practises.

In this case that selector should be bit more poodll spesific so it would be more safer to not affect other elements.

In this case it was noticed because it causes similarly named element in Moodles 'format_onetopic' to break down because that too has element classified as marker i

After a number of tests, this plugin was rejected by our Moodle hosting provider for the following reasons:

The filter does not display the Whiteboard recorder due to Javascript not fully loading jquery before running.

The following fatal error is encountered:
TypeError: $ is undefined in drawingboard.min.js

Furthermore, the plugin does not seem to adhere to M29's standards for AMD style javascript.

The following error is happening with the latest version 2020061400 release 3.1.34 (Build 2020061400) of filter_poodll when attempting upgrade from the previous version, which leaves the site stuck at the plugin upgrade screen:

!!! Exception - Undefined class constant 'AWS_NONE' !!!
!!
Error code: generalexceptionmessage !!
!! Stack trace: * line 97 of /filter/poodll/db/upgrade.php: Error thrown
    line 632 of /lib/upgradelib.php: call to xmldb_filter_poodll_upgrade()
    line 1857 of /lib/upgradelib.php: call to upgrade_plugins()
    line 182 of /admin/cli/upgrade.php: call to upgrade_noncore()
    !!

Hi, Justin.

I encountered an error when installing the PoodLL filter on Moodle 3.0.

Notice: Undefined property: stdClass::$filter_poodll_serverport in /var/www/vhosts/prototype.moodle.net/html/pluginsdemo/filter/poodll/poodllinit.php on line 16 Notice: Undefined property: stdClass::$filter_poodll_serverport in /var/www/vhosts/prototype.moodle.net/html/pluginsdemo/filter/poodll/poodllinit.php on line 16 Notice: Undefined property: stdClass::$filter_poodll_servername in /var/www/vhosts/prototype.moodle.net/html/pluginsdemo/filter/poodll/poodllinit.php on line 22 Notice: Undefined property: stdClass::$filter_poodll_serverport in /var/www/vhosts/prototype.moodle.net/html/pluginsdemo/filter/poodll/poodllinit.php on line 22 Notice: Undefined property: stdClass::$filter_poodll_serverid in /var/www/vhosts/prototype.moodle.net/html/pluginsdemo/filter/poodll/poodllinit.php on line 22 

I also wasn't getting any audio from the plugin afterwards. Perhaps this was part of the cause.

PS. Are you working on a non-Flash version?

Version conflict that cannot be resolved in an endless loop
see screenshot

When our users are uploading videos via Poodll, they commonly are just using the TinyMCE editor plugin. When they attempt to replicate this using the iOS interface on an iPad, while we see "uploaded successfully" the Insert button never activates.
BH

Hello:

Moodle 3.1.3+ Plugin “PoodLL Filter” – Cross-Site Scripting(XSS)
Procuct: Moodle plugin “PoodLL Filter”
Download url: https://moodle.org/plugins/filter_poodll
Vunlerable Version: 3.0.20 and probably prior
Tested Version: 3.0.20
Author: ADLab of Venustech

Advisory Details:
I have discovered a Cross-Site Scripting (XSS) in Moodle plugin “PoodLL Filter”, which can be exploited to add,modify or delete information in application`s database and gain complete control over the application.

The vulnerability exists due to insufficientfiltration of user-supplied data in “poodll_audio_url” HTTP GET parameter passed to “filter_poodll_moodle32_2016112802/poodll/mp3recorderskins/brazil/index.php” url. An attacker could execute arbitrary HTML and script code in browser in context of the vulnerable website.
The exploitation examples below uses the "alert()" JavaScript function to see a pop-up messagebox:

POC:
http://localhost/moodleplugins/filter_poodll_moodle32_2016112802/poodll/mp3recorderskins/brazil/index.php?poodll_audio_url=%22%27});%3C/script%3E%3Cscript%3Ealert(1);%3C/script%3E#%22