mahara-contributors team mailing list archive

Thread
Date

[Bug 1009777] A change has been merged

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Mahara Bot <1009777@xxxxxxxxxxxxxxxxxx>
Date: Tue, 31 Jul 2012 07:02:22 -0000
Reply-to: Bug 1009777 <1009777@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://reviews.mahara.org/1457
Committed: http://gitorious.org/mahara/mahara/commit/47e3906d6791b93b7eaf1d6500828924b10b2bb6
Submitter: Hugh Davenport (hugh@xxxxxxxxxxxxxxx)
Branch:    master

commit 47e3906d6791b93b7eaf1d6500828924b10b2bb6
Author: Richard Mansfield <richard.mansfield@xxxxxxxxxxxxxxx>
Date:   Mon Jun 11 17:16:37 2012 +1200

    Add display_default_name dwoo plugin (bug #1009777)
    
    This just html escapes the output of display_default_name.  Existing
    calls are modified to avoid double escaping.
    
    Change-Id: I117a748a4d4cdb3313377f3441bbd20567a88fcb
    Signed-off-by: Richard Mansfield <richard.mansfield@xxxxxxxxxxxxxxx>

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
https://bugs.launchpad.net/bugs/1009777

Title:
  Logged-in user's name unescaped in top right header

Status in Mahara ePortfolio:
  Fix Released

Bug description:
  Discovered by Emanuel Bronshtein.  Present in 1.5

   By Changing "Display name" in Content->Profile:
   http://localhost/mahara-1.5.1/mahara-1.5.1/htdocs/artefact/internal/
   to:
   XSS<script>alert(1)</script>
   then click "Save profile".
   javascript code executed on every request to mahara pages when the user log-in to the system.
   (unfiltered HTML printed near "Settings" in top of the page)
  ---

  I think the display_default_name function should be added as a dwoo
  plugin, along the lines of display_name (see
  htdocs/lib/dwoo/mahara/plugins/function.display_name.php); other calls
  to display_default_name in templates should be modified to avoid
  double-escaping.

  In the long term perhaps we should reconsider the policy for calls to
  php functions in the dwoo templates - I believe the policy can be
  changed to disallow calls to arbitrary php functions, or to escape the
  output from them, but a change like that would require testing all our
  templates, and lots of work for 3rd party plugins & themes.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1009777/+subscriptions