** Changed in: mahara/1.10
Status: Fix Committed => Fix Released
** Information type changed from Private Security to Public Security
** Tags added: regresion
** Tags removed: regresion
** Tags added: regression
** Changed in: mahara/1.10
Milestone: None => 1.10.0
** Changed in: mahara/1.11
Milestone: 1.10.0 => 1.11.0
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask
on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1375092
Title:
XSS in page content editor
Status in Mahara ePortfolio:
Fix Committed
Status in Mahara 1.10 series:
Fix Released
Status in Mahara 1.11 series:
Fix Committed
Bug description:
Steps to reproduce in master:
1. Create a page
2. Click "Text box" in the content editor
3. Enter "<script>alert(1);</script>" without the quotes in the "Block title"
and save the block
4. Click "Text box" in the content editor again. (Note: do not drag/drop a
text box, only happens if you click)
What happens:
An alert is popped up on the page.
What should happen:
Alert should not be shown.
Proposed fix is attached as a patch. Note that while the attached
patch fixes it for me there are other references to h2.title in that
file, so you might want to confirm that this fixes it properly.
Simon
To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1375092/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~mahara-contributors
Post to : [email protected]
Unsubscribe : https://launchpad.net/~mahara-contributors
More help : https://help.launchpad.net/ListHelp
