mahara-contributors team mailing list archive

[Robert Lyon <robertl@xxxxxxxxxxxxxxx>]

** Information type changed from Private Security to Public Security

** Changed in: mahara/18.04
       Status: In Progress => Fix Committed

** Changed in: mahara/17.10
       Status: Confirmed => Fix Committed

** Changed in: mahara/17.04
       Status: Confirmed => Fix Committed

** Changed in: mahara/16.10
       Status: Confirmed => Fix Committed

** Also affects: mahara/18.10
   Importance: Undecided
       Status: New

** Changed in: mahara/18.10
       Status: New => Fix Committed

** Changed in: mahara/18.10
   Importance: Undecided => High

** Changed in: mahara/18.10
    Milestone: None => 18.10.0

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1744789

Title:
  Avoid relying on TinyMCE code stipping alone

Status in Mahara:
  Fix Committed
Status in Mahara 16.10 series:
  Fix Committed
Status in Mahara 17.04 series:
  Fix Committed
Status in Mahara 17.10 series:
  Fix Committed
Status in Mahara 18.04 series:
  Fix Committed
Status in Mahara 18.10 series:
  Fix Committed

Bug description:
  TinyMCE will strip bad strings from input, eg <script> tags but we
  must make sure we don't just rely on that alone. We should also clean
  up input on the server/php end as one can create their own packet of
  POST data containing bad content to hit the server with.

  This can be seen in the Wall plugin where we can make a wallpost POST
  package have a bad 'text' value and have it save unaltered.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1744789/+subscriptions