mahara-contributors team mailing list archive

Thread
Date

[Bug 1744789] Re: Avoid relying on TinyMCE code stripping alone

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Cecilia Vela Gurovic <1744789@xxxxxxxxxxxxxxxxxx>
Date: Thu, 25 Oct 2018 02:39:30 -0000
Reply-to: Bug 1744789 <1744789@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: mahara/18.10
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1744789

Title:
  Avoid relying on TinyMCE code stripping alone

Status in Mahara:
  Fix Released
Status in Mahara 16.10 series:
  Fix Released
Status in Mahara 17.04 series:
  Fix Released
Status in Mahara 17.10 series:
  Fix Released
Status in Mahara 18.04 series:
  Fix Released
Status in Mahara 18.10 series:
  Fix Released

Bug description:
  TinyMCE will strip bad strings from input, eg <script> tags but we
  must make sure we don't just rely on that alone. We should also clean
  up input on the server/php end as one can create their own packet of
  POST data containing bad content to hit the server with.

  This can be seen in the Wall plugin where we can make a wallpost POST
  package have a bad 'text' value and have it save unaltered.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1744789/+subscriptions