** Information type changed from Private Security to Public Security
** Changed in: mahara/1.5
Status: Fix Committed => Fix Released
** Changed in: mahara/1.6
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contrib members
https://bugs.launchpad.net/bugs/1153423
Title:
Stored XSS in TinyMCE editor
Status in Mahara ePortfolio:
Fix Committed
Status in Mahara 1.5 series:
Fix Released
Status in Mahara 1.6 series:
Fix Released
Status in Mahara 1.7 series:
Fix Committed
Bug description:
Reported by two independent researchers in different locations.
How to reproduce:
- Go to a page with a TinyMCE editor (such as /artefact/internal/ ->
Introduction)
- Click the TinyMCE "HTML" button
- Enter payload of something like "<img src=x onmouseover=alert(1)>"
- Save page
- Reload, hover over broken image, notice the alert
The XSS is stored only for the editing part of the TinyMCE editor. I couldn't
quickly find any location where
it was not escaped in the view section (which is blocktype dependant, the
above example would be the
profileinfo blocktype from artefact/internal).
The fix is to escape the value sent to tinymce in
lib/form/elements/wysiwyg.php, patch forthcoming.
The other location reported was in a new page, the "Page description"
input. The same patch fixes this.
To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1153423/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~mahara-contributors
Post to : mahara-contributors@lists.launchpad.net
Unsubscribe : https://launchpad.net/~mahara-contributors
More help : https://help.launchpad.net/ListHelp
