mahara-contributors team mailing list archive
-
mahara-contributors team
-
Mailing list archive
-
Message #55113
[Bug 1836803] Re: Update HTML Purifier to 4.11.0
Commit hash: ee794865bef9d0933a45947b137f54571e6d28cb
Environment tested: Master
Browser tested: Chrome
Theme used: Primary school
PRECONDITIONS:
------------------------
1) N/A
NOTE: The objective of this library is to strip out malicious code from
the tinyMCE editor when text entered through the source code function.
TEST STEPS: Enter malicious code into the Source code window
------------------------
1) Log in as site admin
2) Browse to and edit any page that contains a TinyMCE editor
3) Click inside the TinyMCE text area
4) Open the source code window and enter the following source code into the text area
<a href="javascript:document.location='http://www.google.com/'">XSS</a>
5) Click ok button
6) Verify that the text "XSS" is displayed in the TinyMCE editor area
7) Reopen the ource code window
8) Verify that the code that you originally placed is now displayed as follows
<p><a>XSS</a></p>
Catalyst QA Approved ✔
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1836803
Title:
Update HTML Purifier to 4.11.0
Status in Mahara:
In Progress
Bug description:
To make it PHP 7.3 compatible
See https://github.com/ezyang/htmlpurifier/blob/v4.11.0/NEWS for the
other fixes
To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1836803/+subscriptions
References