mahara-contributors team mailing list archive

[Robert Lyon <robertl@xxxxxxxxxxxxxxx>]

Public bug reported:

When testing https://bugs.launchpad.net/mahara/+bug/1706536 I noticed
there was a problem on the page settings form where skin title was not
being escaped.

To test:
1) Set up a skin with the title:

It's all <script>alert(1);</script>good!

2a) If the patch for bug 1706536 is in play it should show the title as inputed but not execute the js
2b) If the patch for bug 1706536 is not present it should show the title with special characters escaped but not execute the js

3) Go to pages and collections and edit a page
4) Click on settings

You get an alert box with '1' in it

The title for the skin needs to be escaped/made safe

** Affects: mahara
     Importance: High
     Assignee: Cecilia Vela Gurovic (ceciliavg)
         Status: Confirmed

** Affects: mahara/17.10
     Importance: High
     Assignee: Cecilia Vela Gurovic (ceciliavg)
         Status: Confirmed

** Also affects: mahara/17.10
   Importance: Undecided
       Status: New

** Changed in: mahara/17.10
   Importance: Undecided => High

** Changed in: mahara/17.10
     Assignee: (unassigned) => Cecilia Vela Gurovic (ceciliavg)

** Changed in: mahara/17.10
    Milestone: None => 17.10.0

** Changed in: mahara/17.10
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1707076

Title:
   Skin title not escaped in page settings form

Status in Mahara:
  Confirmed
Status in Mahara 17.10 series:
  Confirmed

Bug description:
  When testing https://bugs.launchpad.net/mahara/+bug/1706536 I noticed
  there was a problem on the page settings form where skin title was not
  being escaped.

  To test:
  1) Set up a skin with the title:

  It's all <script>alert(1);</script>good!

  2a) If the patch for bug 1706536 is in play it should show the title as inputed but not execute the js
  2b) If the patch for bug 1706536 is not present it should show the title with special characters escaped but not execute the js

  3) Go to pages and collections and edit a page
  4) Click on settings

  You get an alert box with '1' in it

  The title for the skin needs to be escaped/made safe

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1707076/+subscriptions