mahara-contributors team mailing list archive

[Mahara Bot <1707076@xxxxxxxxxxxxxxxxxx>]

Reviewed:  https://reviews.mahara.org/7973
Committed: https://git.mahara.org/mahara/mahara/commit/356c8f1c10b0257459ccb1723c15dd6114141fa2
Submitter: Robert Lyon (robertl@xxxxxxxxxxxxxxx)
Branch:    17.04_STABLE

commit 356c8f1c10b0257459ccb1723c15dd6114141fa2
Author: Cecilia Vela Gurovic <ceciliavg@xxxxxxxxxxxxxxx>
Date:   Mon Jul 31 17:02:36 2017 +1200

Bug 1707076: escape skin titles to display

behatnotneeded

Change-Id: I469f8136e287bb86eb17a32dbed48dec05b87969

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1707076

Title:
   Skin title not escaped in page settings form

Status in Mahara:
  Fix Committed
Status in Mahara 16.04 series:
  In Progress
Status in Mahara 16.10 series:
  In Progress
Status in Mahara 17.04 series:
  Fix Committed
Status in Mahara 17.10 series:
  Fix Committed

Bug description:
  When testing https://bugs.launchpad.net/mahara/+bug/1706536 I noticed
  there was a problem on the page settings form where skin title was not
  being escaped.

  To test:
  1) Set up a skin with the title:

  It's all <script>alert(1);</script>good!

  2a) If the patch for bug 1706536 is in play it should show the title as inputed but not execute the js
  2b) If the patch for bug 1706536 is not present it should show the title with special characters escaped but not execute the js

  3) Go to pages and collections and edit a page
  4) Click on settings

  You get an alert box with '1' in it

  The title for the skin needs to be escaped/made safe

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1707076/+subscriptions