** CVE added: https://cve.mitre.org/cgi- bin/cvename.cgi?name=2017-1000137
-- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1375092 Title: XSS in page content editor Status in Mahara: Fix Released Status in Mahara 1.10 series: Fix Released Status in Mahara 15.04 series: Fix Released Bug description: Steps to reproduce in master: 1. Create a page 2. Click "Text box" in the content editor 3. Enter "<script>alert(1);</script>" without the quotes in the "Block title" and save the block 4. Click "Text box" in the content editor again. (Note: do not drag/drop a text box, only happens if you click) What happens: An alert is popped up on the page. What should happen: Alert should not be shown. Proposed fix is attached as a patch. Note that while the attached patch fixes it for me there are other references to h2.title in that file, so you might want to confirm that this fixes it properly. Simon To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1375092/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : [email protected] Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
