mahara-contributors team mailing list archive

[Aaron Wells <1472439@xxxxxxxxxxxxxxxxxx>]

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1472439

Title:
  XSS in "add to watchlist" link on artefact detail screen

Status in Mahara ePortfolio:
  Fix Committed
Status in Mahara 1.10 series:
  Fix Committed
Status in Mahara 1.8 series:
  Won't Fix
Status in Mahara 1.9 series:
  Fix Committed
Status in Mahara 15.04 series:
  Fix Committed
Status in Mahara 15.10 series:
  Fix Committed

Bug description:
  On artefact detail screens, when we you click on the "add to
  watchlist" link, we use AJAX to update the link to read "remove from
  watchlist". But, we are not properly escaping the page title in that
  AJAX, which makes it possible to execute Javascript that has been
  placed in the page title.

  To replicate:

  1. Create a portfolio Page
  2. Give the page this title:

  "><img src=0 onerror=alert(location)>

  3. Put an image block in the page.
  4. View the page in display mode.
  5. Click on the link to view the artefact detail screen for the image
  6. At the bottom of the artefact detail screen, click on the link that reads "Add page ""><img src=0 onerror=alert(location)>" to watchlist" or "Remove page ""><img src=0 onerror=alert(location)>" to watchlist"

  Expected result: The page should be added or removed from your
  watchlist, and the link title should show the HTML-escaped version of
  the page title.

  Actual result: The page is added or removed from your watchlist, but
  the link title is not HTML-escaped and Javascript "alert(location)"
  executes.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1472439/+subscriptions