mahara-contributors team mailing list archive

Thread
Date

[Bug 817342] A change has been merged

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Mahara Bot <817342@xxxxxxxxxxxxxxxxxx>
Date: Mon, 15 Aug 2011 22:44:06 -0000
Reply-to: Bug 817342 <817342@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://reviews.mahara.org/574
Committed: http://gitorious.org/mahara/mahara/commit/65d78d5c70329ff494949c94bb44999f6aef22c5
Submitter: Richard Mansfield (richardm@xxxxxxxxxx)
Branch:    1.4_STABLE

commit 65d78d5c70329ff494949c94bb44999f6aef22c5
Author: Richard Mansfield <richard.mansfield@xxxxxxxxxxxxxxx>
Date:   Wed Aug 10 09:51:50 2011 +1200

    Json-encode strings included in viewacl javascript (bug #817342)
    
    Adds a new dwoo function to json-encode strings for inclusion in
    template javascript, and uses the function in the viewacl template.
    
    Change-Id: I47e22883c494d0c90fa7075231a840e11d5b6531
    Signed-off-by: Richard Mansfield <richard.mansfield@xxxxxxxxxxxxxxx>

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
https://bugs.launchpad.net/bugs/817342

Title:
  Unencoded strings included in viewacl javascript

Status in Mahara ePortfolio:
  Confirmed
Status in Mahara 1.3 series:
  Confirmed
Status in Mahara 1.4 series:
  Confirmed

Bug description:
  The viewacl template has javascript which includes strings directly
  from the language pack in single quotes instead of json encoded.
  Strings containing single quotes will result in syntax errors and will
  stop the js from executing.

  I'll mark this as "security" till I've had a chance to discuss it with
  the others, but it's only exploitable by language pack maintainers, so
  it's probably better as public.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/817342/+subscriptions