Reviewed: https://reviews.mahara.org/7971 Committed: https://git.mahara.org/mahara/mahara/commit/b069c0a0462ee391ba7f16e67a7c85850850b43f Submitter: Robert Lyon ([email protected]) Branch: 16.04_STABLE
commit b069c0a0462ee391ba7f16e67a7c85850850b43f Author: Cecilia Vela Gurovic <[email protected]> Date: Mon Jul 31 17:02:36 2017 +1200 Bug 1707076: escape skin titles to display behatnotneeded Change-Id: I469f8136e287bb86eb17a32dbed48dec05b87969 -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1707076 Title: Skin title not escaped in page settings form Status in Mahara: Fix Committed Status in Mahara 16.04 series: Fix Committed Status in Mahara 16.10 series: Fix Committed Status in Mahara 17.04 series: Fix Committed Status in Mahara 17.10 series: Fix Committed Bug description: When testing https://bugs.launchpad.net/mahara/+bug/1706536 I noticed there was a problem on the page settings form where skin title was not being escaped. To test: 1) Set up a skin with the title: It's all <script>alert(1);</script>good! 2a) If the patch for bug 1706536 is in play it should show the title as inputed but not execute the js 2b) If the patch for bug 1706536 is not present it should show the title with special characters escaped but not execute the js 3) Go to pages and collections and edit a page 4) Click on settings You get an alert box with '1' in it The title for the skin needs to be escaped/made safe To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1707076/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : [email protected] Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
