mahara-contributors team mailing list archive

Thread
Date

[Bug 687597] Re: Make sure that Mahara does not trust the portfolio content exported from Moodle

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Ruslan Kabalin <687597@xxxxxxxxxxxxxxxxxx>
Date: Thu, 09 Dec 2010 13:56:31 -0000
Reply-to: Bug 687597 <687597@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

We do clean_html in html blocktype, aren't we? So, there should be no
sanity problems when exporting from Moodle. Though, I have added a virus
check for imported files (see b64be4db).


** Changed in: mahara
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
https://bugs.launchpad.net/bugs/687597

Title:
  Make sure that Mahara does not trust the portfolio content exported from Moodle

Status in Mahara ePortfolio:
  New

Bug description:
  As tracked in http://tracker.moodle.org/browse/MDL-25619, Moodle 2.0 does not clean output HTML when exporting content to a remote portfolio. From Moodle point of view, the portfolio system is responsible for the input sanitization regardless the source. Please make sure that you handle the data exported from Moodle correctly - it may contain malicious content, nasty Javascript etc.

References

[Bug 687597] [NEW] Make sure that Mahara does not trust the portfolio content exported from Moodle
From: David Mudrák, 2010-12-08