mahara-contributors team mailing list archive

Thread
Date

[Bug 1836803] Re: Update HTML Purifier to 4.11.0

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Steven <stevens@xxxxxxxxxxxxxxx>
Date: Mon, 19 Aug 2019 01:15:05 -0000
Reply-to: Bug 1836803 <1836803@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Commit hash: ee794865bef9d0933a45947b137f54571e6d28cb
Environment tested: Master
Browser tested: Chrome
Theme used:  Primary school 

PRECONDITIONS: 
------------------------ 
1) N/A

NOTE: The objective of this library is to strip out malicious code from
the tinyMCE editor when text entered through the source code function.

TEST STEPS: Enter malicious code into the Source code window
------------------------ 
1) Log in as site admin 
2) Browse to and edit any page that contains a TinyMCE editor 
3) Click inside the TinyMCE text area
4) Open the source code window and enter the following source code into the text area
      <a href="javascript:document.location='http://www.google.com/'">XSS</a>
5) Click ok button 
6) Verify that the text "XSS" is displayed in the TinyMCE editor area 
7) Reopen the ource code window 
8) Verify that the code that you originally placed is now displayed as follows 
     <p><a>XSS</a></p>

Catalyst QA Approved ✔

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1836803

Title:
  Update HTML Purifier to 4.11.0

Status in Mahara:
  In Progress

Bug description:
  To make it PHP 7.3 compatible

  See https://github.com/ezyang/htmlpurifier/blob/v4.11.0/NEWS for the
  other fixes

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1836803/+subscriptions

References

[Bug 1836803] [NEW] Update HTML Purifier to 4.11.0
From: Robert Lyon, 2019-07-16