← Back to team overview

mahara-contributors team mailing list archive

  1. mahara-contributors team
  2. Mailing list archive
  3. Message #45226

[Bug 1719472] A change has been merged

  Thread PreviousDate PreviousThread Next 
Reviewed:  https://reviews.mahara.org/8206
Committed: https://git.mahara.org/mahara/mahara/commit/a99dbced72c6fd76d0589bcac6e4af8db330c4bd
Submitter: Robert Lyon (robertl@xxxxxxxxxxxxxxx)
Branch:    17.04_STABLE

commit a99dbced72c6fd76d0589bcac6e4af8db330c4bd
Author: Robert Lyon <robertl@xxxxxxxxxxxxxxx>
Date:   Tue Sep 26 11:27:34 2017 +1300

Bug 1719472: Escape user's display_name() when supplying to autocomplete

behatnotneeded

Change-Id: I4b342a0d3f00015e8f2e0ff7d93d2b5198fbc32d
Signed-off-by: Robert Lyon <robertl@xxxxxxxxxxxxxxx>
(cherry picked from commit 86711cb835dcd87208170df32e3405cd0467e1cf)

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1719472

Title:
  User autocomplete selector in Mail composer not escaping the name

Status in Mahara:
  Fix Released
Status in Mahara 16.04 series:
  Fix Committed
Status in Mahara 16.10 series:
  Fix Committed
Status in Mahara 17.04 series:
  Fix Committed
Status in Mahara 17.10 series:
  Fix Released

Bug description:
  This means that a user can set a bad name and compromise another user

  To reproduce:

  *) Login as "user1"
  *) Click on "Main menu" - "Content" - "Profile" - "About me"
  *) Insert at "First name" or "Last name" or "Display name":

  <script>alert(1)</script>

  *) Save with "Save profile"

  *) Click on "User menu" - "0 unread" - "Compose"
  *) Send a message to another user, for example:

  Recipients: user2
  Subject: Hello
  Message: Please reply

  *) Send the message with "Send message"
  *) Logout as "user1"

  *) Login as "user2"
  *) Open the received message in the dashboard ("Inbox")
  *) Click on "Reply"
  *) The alert dialog appears

  
  To fix:
  Normally when we show a user's name to screen we filter it via hsc() 
  But in this case the name is being fetched by the autocomplete pieform element via the translate_ids_to_names() function without being escaped.

  So we need to escape it before returning the name

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1719472/+subscriptions
  Thread PreviousDate PreviousThread Next