mahara-contributors team mailing list archive

Thread
Date

[Bug 817342] A change has been merged

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Mahara Bot <817342@xxxxxxxxxxxxxxxxxx>
Date: Mon, 15 Aug 2011 22:44:10 -0000
Reply-to: Bug 817342 <817342@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://reviews.mahara.org/575
Committed: http://gitorious.org/mahara/mahara/commit/b3506a4a7dc735f7fd4fa18c538921fce3ed43e1
Submitter: Richard Mansfield (richardm@xxxxxxxxxx)
Branch:    1.3_STABLE

commit b3506a4a7dc735f7fd4fa18c538921fce3ed43e1
Author: Richard Mansfield <richard.mansfield@xxxxxxxxxxxxxxx>
Date:   Wed Aug 10 10:35:52 2011 +1200

    Json-encode strings included in viewacl javascript (bug #817342)
    
    Adds a new dwoo function to json-encode strings for inclusion in
    template javascript, and uses the function in the viewacl template.
    
    Change-Id: I67af2dc10a975c0c71609106a0251e8ab8e8d7b6
    Signed-off-by: Richard Mansfield <richard.mansfield@xxxxxxxxxxxxxxx>

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
https://bugs.launchpad.net/bugs/817342

Title:
  Unencoded strings included in viewacl javascript

Status in Mahara ePortfolio:
  Confirmed
Status in Mahara 1.3 series:
  Confirmed
Status in Mahara 1.4 series:
  Confirmed

Bug description:
  The viewacl template has javascript which includes strings directly
  from the language pack in single quotes instead of json encoded.
  Strings containing single quotes will result in syntax errors and will
  stop the js from executing.

  I'll mark this as "security" till I've had a chance to discuss it with
  the others, but it's only exploitable by language pack maintainers, so
  it's probably better as public.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/817342/+subscriptions