** This bug has been flagged as a security vulnerability -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. https://bugs.launchpad.net/bugs/1009774
Title: Links & resources urls are unsanitised Status in Mahara ePortfolio: Fix Released Bug description: Discovered by Emanuel Bronshtein. Present in all versions, requires an admin account. Configure site -> Menus -> Add External Link: http://localhost/mahara-1.5.1/mahara-1.5.1/htdocs/admin/site/menu.php Add new Link: Name: XSS Linked to: javascript:alert(location) click "Add". ... fix: Allow only whitelisted protocols (http,https,mailto). The sanitize_url function should be used for this. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1009774/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : [email protected] Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
