Reviewed: https://reviews.mahara.org/1460 Committed: http://gitorious.org/mahara/mahara/commit/e47eea0381645be217c516a43411e4998e70c404 Submitter: Hugh Davenport ([email protected]) Branch: master
commit e47eea0381645be217c516a43411e4998e70c404 Author: Melissa Draper <[email protected]> Date: Mon Jul 9 14:25:03 2012 +1200 Sanitize links in links and resources menu (bug #1009774) Links placed in the links and resources list have not been getting checked and so have been displayed unfiltered to users and other admins. These user-supplied links are now checked with sanitize_url which has been extended to convert relative links to absolute. Change-Id: I679627c4e33621df82705c39e77e7226ffef5a97 Signed-off-by: Melissa Draper <[email protected]> -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. https://bugs.launchpad.net/bugs/1009774 Title: Links & resources urls are unsanitised Status in Mahara ePortfolio: Fix Released Bug description: Discovered by Emanuel Bronshtein. Present in all versions, requires an admin account. Configure site -> Menus -> Add External Link: http://localhost/mahara-1.5.1/mahara-1.5.1/htdocs/admin/site/menu.php Add new Link: Name: XSS Linked to: javascript:alert(location) click "Add". ... fix: Allow only whitelisted protocols (http,https,mailto). The sanitize_url function should be used for this. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1009774/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : [email protected] Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
