They have a whitelist that can be used to skip certain files, but this would require a core hack:
$whitelist = new path_whitelist([
$CFG->dirroot . '/lib/templates/test.mustache', // A mustache test file. Must not contain anything exploitable.
$CFG->dirroot . '/totara/core/templates/progressbar.mustache', // Deprecated since Totara 12.
]); // Totara: path_whitelist
Solution
Use the code HTML element in the Mustache template instead of the language string. This does not change the styling or structure of the template when rendered. This was tested using the template library.
This PR also fixes the example context in the template by removing trailing commas and changing vendors to vendor in the vendorinfo object. This can be tested in admin/tool/templatelibrary/index.php?component=&search=emailutils
Description: This PR refactors the
noreplyemaillanguage string. This was done to resolve unit test failures in Totara 17:Problem
test_no_exploitable_string_helper_uses server/lib/tests/mustache_str_helper_test.phpOccurring here: https://github.com/catalyst/moodle-tool_emailutils/blob/MOODLE_39_STABLE/templates/postmaster.mustache#L41
Looks like Totara doesn't like it when language string templates/helpers are used like here:
<p>{{#str}} noreplyemail, tool_emailutils, {{ noreply }} {{/str}}</p>They have a whitelist that can be used to skip certain files, but this would require a core hack:
Solution
Use the
codeHTML element in the Mustache template instead of the language string. This does not change the styling or structure of the template when rendered. This was tested using the template library.This PR also fixes the example context in the template by removing trailing commas and changing
vendorstovendorin thevendorinfoobject. This can be tested inadmin/tool/templatelibrary/index.php?component=&search=emailutils