1. 15 Jul, 2016 1 commit
  2. 11 Jul, 2016 1 commit
  3. 14 Apr, 2016 1 commit
  4. 31 Mar, 2016 4 commits
  5. 23 Mar, 2016 1 commit
  6. 16 Dec, 2015 2 commits
  7. 25 Nov, 2015 1 commit
  8. 24 Nov, 2015 1 commit
    • Aaron Wells's avatar
      Display icons for 3rd-party blocktypes plugins · 4f849ed2
      Aaron Wells authored
      Bug 1510421
      
      Defines a new static PluginBlocktype method, get_css_icon(), which
      fetches the name of the CSS icon to use for this blocktype. It returns
      false by default, which tells the theme to "fall back" to the old
      thumbnail.png instead. 3rd-party plugins can override this to
      specify a particular icon to use.
      
      All the core blocktypes have been refactored to extend
      MaharaCoreBlocktype, which uses the blocktype name as the name
      of the CSS icon to use. I also deprecated the "SystemBlocktype"
      class while I was at it.
      
      PluginBlocktype::get_blocktypes_for_category() now returns both
      the results of get_css_icon() and the thumbnail.png path, so that
      themes can decide which they want to use. (And of course
      thumbnail.png is served via thumbnail.php, so 3rd party themes
      can provide their own custom image files if they wish.)
      
      behatnotneeded: Requires installing third-party plugins to test
      
      Change-Id: Idb1ecfc7b21175913708e695788906c11133b0c0
      4f849ed2
  9. 22 Oct, 2015 1 commit
  10. 19 Oct, 2015 1 commit
  11. 07 Oct, 2015 1 commit
  12. 23 Sep, 2015 1 commit
  13. 22 Sep, 2015 1 commit
  14. 09 Sep, 2015 1 commit
  15. 08 Sep, 2015 2 commits
  16. 08 Aug, 2015 1 commit
  17. 30 Jul, 2015 1 commit
  18. 15 Jul, 2015 1 commit
  19. 01 Jul, 2015 1 commit
  20. 15 Jun, 2015 4 commits
  21. 27 May, 2015 1 commit
  22. 07 May, 2015 1 commit
  23. 29 Apr, 2015 1 commit
  24. 15 Apr, 2015 1 commit
    • Robert Lyon's avatar
      Stopping SWF files XSS exploitation (Bug #1190788) · 8df9bdfa
      Robert Lyon authored
      By doing two things:
      
      1) Getting the embedded SWF object to set the
       allowscriptaccess = "never" and allownetworking = "never"
      
      2) By forcing a 'download file' link to actually download file
      - this goes for all files now that don't have embedded=1
      in their url.
      
      I've done it this way, having the embedded item have extra url param
      so that if a user tries to manipulate a url by removing params it
      will default to force download.
      
      I've merged the changes I'd done here https://reviews.mahara.org/#/c/3522/2
      
      
      and I've also cleaned up places where the download=1 was used as that is
      not needed now. Now if there are places where we need to embed rather
      than download we add the embedded=1 to the url.
      
      Change-Id: If5290a7c571d06d4178ef2ae5c4c09ed287403b4
      Signed-off-by: Robert Lyon's avatarRobert Lyon <robertl@catalyst.net.nz>
      8df9bdfa
  25. 30 Mar, 2015 1 commit
  26. 28 Mar, 2015 1 commit
  27. 12 Mar, 2015 1 commit
  28. 09 Mar, 2015 1 commit
  29. 08 Mar, 2015 4 commits