** Changed in: mahara/1.8
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask
on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1381868
Title:
XSS with institution full name on user profile page
Status in Mahara ePortfolio:
Fix Committed
Status in Mahara 1.10 series:
Fix Released
Status in Mahara 1.11 series:
Fix Committed
Status in Mahara 1.7 series:
Fix Committed
Status in Mahara 1.8 series:
Fix Released
Status in Mahara 1.9 series:
Fix Committed
Bug description:
Yuliya reported this one to me via IRC. The institution display name
is not filtered for HTML on the user profile page. Consequently, site
admins and institutional admins can put Javascript into it.
This is a medium-level security threat, mainly of concern to multi-
tenanted Mahara institutions where the security of the "institutional
admin" users may not be fully vetted by the site administrators.
To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1381868/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~mahara-contributors
Post to : [email protected]
Unsubscribe : https://launchpad.net/~mahara-contributors
More help : https://help.launchpad.net/ListHelp
