mahara-contributors team mailing list archive

Thread
Date

[Bug 1009777] Re: Logged-in user's name unescaped in top right header

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Melissa Draper <melissa@xxxxxxxxxxxxx>
Date: Tue, 31 Jul 2012 06:20:34 -0000
Reply-to: Bug 1009777 <1009777@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: mahara
       Status: Confirmed => Won't Fix

** Changed in: mahara
       Status: Won't Fix => Fix Released

** Changed in: mahara
     Assignee: (unassigned) => Richard Mansfield (richard-mansfield)

** Visibility changed to: Public

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
https://bugs.launchpad.net/bugs/1009777

Title:
  Logged-in user's name unescaped in top right header

Status in Mahara ePortfolio:
  Fix Released

Bug description:
  Discovered by Emanuel Bronshtein.  Present in 1.5

   By Changing "Display name" in Content->Profile:
   http://localhost/mahara-1.5.1/mahara-1.5.1/htdocs/artefact/internal/
   to:
   XSS<script>alert(1)</script>
   then click "Save profile".
   javascript code executed on every request to mahara pages when the user log-in to the system.
   (unfiltered HTML printed near "Settings" in top of the page)
  ---

  I think the display_default_name function should be added as a dwoo
  plugin, along the lines of display_name (see
  htdocs/lib/dwoo/mahara/plugins/function.display_name.php); other calls
  to display_default_name in templates should be modified to avoid
  double-escaping.

  In the long term perhaps we should reconsider the policy for calls to
  php functions in the dwoo templates - I believe the policy can be
  changed to disallow calls to arbitrary php functions, or to escape the
  output from them, but a change like that would require testing all our
  templates, and lots of work for 3rd party plugins & themes.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1009777/+subscriptions