Important
Notice: This release drops support for Moodle 2.7 through 3.10 and PHP 5.4 through 7.2. The minimum supported versions are now Moodle 3.11 and PHP 7.3.
A separate legacy version of FilterCodes is available on the MOODLE_311_LEGACY branch for sites running Moodle 2.7 through 3.11. This is the final release for those legacy versions of Moodle and will not receive further updates. All non-legacy-specific improvements in the legacy version are also included in this 3.0.0 release. Sites already on Moodle 3.11 can install 3.0.0 directly without first upgrading Moodle — the overlap is intentional to make the transition smoother.
Security - {scrape} tag: This release contains an important security fix for the {scrape} tag (SSRF/LFI protection - Issue #361). Sites that use the {scrape} tag are strongly encouraged to upgrade. The fix tightens what the {scrape} tag is allowed to fetch and how it is processed; see the Fixes/updates section for details. The {scrape} tag remains enabled on sites where it was already enabled - no re-configuration is required, but administrators may wish to review the new settings (described below) to tune size limits, caching, and allowed hosts to suit their site. If your site currently scrapes pages larger than 1 MB, or scrapes non-HTML content (such as plain text or JSON), those scrapes will stop working after the upgrade - review the new {scrape} settings and adjust the maximum response size if needed, or note that non-HTML responses are no longer supported.
New features
-
Added a comprehensive PHPUnit test suite - 267 tests with 469 assertions across 15 categories - to improve long-term quality and stability.
-
Added new settings for the
{scrape}tag:- Allowed hosts - optional list of permitted hostnames. Default: empty (all public HTTP(S) hosts allowed, subject to Moodle's cURL security settings).
- Maximum response size - caps how much content can be downloaded per scrape. Default: 1 MB.
- Cache lifetime - how long successful scrape results are cached. Default: 30 seconds.
- Show missing-content message - choose between displaying a "content missing" message or failing silently when scraped content is unavailable. Default: silent.
-
Added support for nested
{ifprofile}tags. -
Added a maximum width option for the
{coursecontacts}tag, which can now also be displayed inline.
Fixes and updates
- Security: Hardened the
{scrape}tag against SSRF/LFI attacks by allowing only HTTP(S) URLs, resolving root-relative URLs against the site URL, using Moodle's built-in cURL security helper, rejecting non-HTML responses, limiting response size, and sanitizing scraped content before display (Issue #361). - Improved
{scrape}performance with configurable caching, conservative request timeouts, redirect limits, and mid-download size enforcement. - Changed missing
{scrape}matches to return the configured fallback output instead of the full remote page. - Fixed
{ifactivitycompleted}so that failed graded activities no longer count as completed (Fix-346). - Fixed the
{ifnotcustomrole}tag, which had been broken since version 2.7.0 (Fix-356). - Now compatible with Moodle LMS 3.11 LTS through 5.2.
- Now compatible with PHP 7.3 through 8.4.
- Bumped the minimum supported Moodle LMS version to 3.11 and the minimum PHP version to 7.3.
- Removed the internal
str_containspolyfill (no longer needed on supported PHP versions). - Updated to comply with current Moodle coding standards.
- Updated copyright notice for 2026.
- Note: The automated CI lane for PHP 8.4 + Moodle 5.2 is pending an upstream
moodle-plugin-cifix; this combination has been manually tested.