Moodle Bug: Unable to inject <script>javascript code</script> in blocks or course activities
-
wrote on Aug 20, 2024, 8:17 AM last edited by
I want to embed the following chatbot, but injecting the javascript does not work on my cloudron moodle instance.
After testing on different instances, it turns out this might be a cloudron packaging bug.
I tested the following code on 4 moodle instances:
- moodle demo: https://sandbox.moodledemo.net/
- moodle for mac: https://download.moodle.org/macosx/
- my original cloudron moodle
- new cloudron moodle
moodle demo and moodle for mac work fine, but cloudron moodles do not work.
Steps to recreate the issue
- install moodle and change editor preference to Plain Text
- create a course and add an activity
- copy and paste the following code
<flowise-fullchatbot></flowise-fullchatbot> <script type="module"> import Chatbot from "https://unpkg.com/flowise-embed/dist/web.js" Chatbot.initFull({ chatflowid: "f5adc8af-d9e3-4735-af79-886f237c354e", apiHost: "https://flowise.riverhill.ai", theme: { chatWindow: { showTitle: false, title: '', titleAvatarSrc: '', welcomeMessage: '', errorMessage: 'Error! Please contact twang293@gmail.com', backgroundColor: "#fff", fontSize: 16, botMessage: { backgroundColor: "#fafafa", textColor: "#000", showAvatar: true, avatarSrc: "https://images.riverhill.ai/circle-offwhite.png", }, userMessage: { backgroundColor: "#3B81F6", textColor: "#ffffff", showAvatar: false, avatarSrc: "", }, textInput: { placeholder: '', backgroundColor: '#ffffff', textColor: '#303235', sendButtonColor: '#3B81F6', maxChars: 300, maxCharsWarningMessage: 'Maximum Characters = 500', autoFocus: true, sendMessageSound: false, receiveMessageSound: false, }, feedback: { color: '#303235', }, footer: { textColor: '#', text: '', company: '', companyLink: '', } } } }) </script> -
wrote on Aug 21, 2024, 11:24 AM last edited by
Any updates?
-
This might very well be a CSP issue where the browser just blocks sourcing of external scripts. Do you see any errors in your browser console which might be related?
wrote on Aug 21, 2024, 11:52 AM last edited by@nebulon probably not CSP, because the script can be injected into the "additional html" section. It just cannot be injected directly in course activities or blocks.
It works fine on other instances. I can inject the script any where.
The problem is I already have too much code in the "additional html" settings. I want to inject the script along with its html. And I need to embed several of these chatbots in the near future. So the better practice is to isolate these snippets.
-
wrote on Aug 21, 2024, 11:53 AM last edited by
By "additional html" setting, I mean "site admin > appearance > additional html"
-
Staffwrote on Aug 21, 2024, 12:08 PM last edited by nebulon Aug 21, 2024, 12:10 PM
I guess we need someone here with basic moodle experience at least then. I am not really following the issue tbh. So you cannot submit a form to inject the code or is the code just not injected or is there any error anywhere? But also injecting the same code in the "Additional HTML" feature works as expected?
It could be that other places to inject code requires moodle to write to a read-only location on disk, but then some error should be shown to get more insight.
-
wrote on Aug 21, 2024, 12:35 PM last edited by taowang Aug 21, 2024, 12:43 PM
Injecting the script here works:
But injecting in course page does not work:
In the console, there are some errors:
-
wrote on Aug 21, 2024, 12:36 PM last edited byThis post is deleted!
-
wrote on Aug 21, 2024, 12:46 PM last edited by
But these errors are not related to the injection problem.
-
N nebulon marked this topic as a question on Aug 21, 2024, 12:54 PM
-
Those errors seem more like a moodle internal problem and possibly bugs worth reporting upstream unless those come from some of the custom code snippets.
-
wrote on Aug 22, 2024, 1:36 AM last edited by
I recorded a video to demonstrate the issue.
-
wrote on Aug 22, 2024, 3:56 AM last edited by
After deeper investigation, it is likely related to CSP.
But I don't know how the moodle demo site sets its CSP to allow script and css injection directly into course pages. -
wrote on Aug 22, 2024, 7:50 AM last edited by
@joseph
I just tested the following 4 csp blockers but did not work.
The chatbot is still not showing up.
I am not sure if these plugins are actually good quality.
Some comments say it works, while other say it doesn't work.https://chromewebstore.google.com/detail/disable-content-security/ieelmcmcagommplceebfedjlakkhpden
https://chromewebstore.google.com/detail/anti-cors-anti-csp/fcbmpcbjjphnaohicmhefjihollidgkp
https://chromewebstore.google.com/detail/allow-csp-content-securit/hnojoemndpdjofcdaonbefcfecpjfflh
https://chromewebstore.google.com/detail/csp-unblock/lkbelpgpclajeekijigjffllhigbhobd -
@taowang I tested from your video. From the browser's source it seems that the links are convereted into a tags. In Page -> More -> Filter, if you set "Convert URLs into links and images" to Off, something loads. I can send Hi to chatbot and it returns something.
-
wrote on Aug 22, 2024, 9:30 AM last edited by taowang Oct 3, 2024, 1:54 AM
OMG it worked!!!! Thank you very much.
Here is a site-wide config for all course pages:
- go to site administration > plugins
- press command + 5 to search for "Convert URLs into links and images"
- click on settings and toggle off the HTML format
- use HTML format when injecting code with urls
-
wrote on Aug 22, 2024, 9:33 AM last edited by
-
J joseph has marked this topic as solved on Aug 22, 2024, 10:07 AM
-
J joseph referenced this topic on Oct 17, 2024, 11:47 AM
-
T taowang referenced this topic on Oct 20, 2024, 2:49 AM
