Embed advanced HTML

For security reasons, the ability to embed advanced HTML in Totara has been removed by default. You can revert back to the previous functionality by following these steps:

Go to Quick-access menu > Security > Security settings.
Tick the Disable consistent cleaning setting.
Click Save changes.

If this setting is not enabled then noclean options for showing advanced HTML will also be ignored.

We strongly recommend that you do not enable this setting, as doing so could expose your site to security risks.

For full details of these changes please see the developer documentation.

A security patch in version 15.36 changed the behaviour of HTML files in courses. Any embedded HTML you have added to a course using the file resource will now be downloaded instead of being viewed on the page. If you need to revert to the previous behaviour you will need to disable consistent cleaning (see above), then set the $CFG->allow_inline_uploaded_html = 1; flag in config.php. We do not recommend using this flag unless it is critical to your site's operation. If enabled, a warning will appear in the site's security report.

Join the Totara Community for more resources to help you get the most out of Totara.

© Copyright 2025 Totara Learning Solutions. All rights reserved. Some content originally obtained via GPLv3 license and continues to be available under GPLv3. All other content is the sole copyright of Totara Learning Solutions.