1) Login to Mahara as an admin user. 2)Navigate to main menu> Portfolio > Skins
3) Click on Create skin 3) Enter the Skin title as "<script>alert(1);</script>good!" 4) Enter the skin description. 5) Click on save button. 6) Now navigate to main menu > Portfolio > pages & collections 7) Click on Add button 8) Select page Actual Result: An alert popup appears and it triggers every time when settings button is pressed. Expected Result: The page settings page should be displayed without any popup alerts. -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1707076 Title: Skin title not escaped in page settings form Status in Mahara: Fix Released Status in Mahara 16.04 series: Fix Released Status in Mahara 16.10 series: Fix Released Status in Mahara 17.04 series: Fix Released Status in Mahara 17.10 series: Fix Released Bug description: When testing https://bugs.launchpad.net/mahara/+bug/1706536 I noticed there was a problem on the page settings form where skin title was not being escaped. To test: 1) Set up a skin with the title: It's all <script>alert(1);</script>good! 2a) If the patch for bug 1706536 is in play it should show the title as inputed but not execute the js 2b) If the patch for bug 1706536 is not present it should show the title with special characters escaped but not execute the js 3) Go to pages and collections and edit a page 4) Click on settings You get an alert box with '1' in it The title for the skin needs to be escaped/made safe To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1707076/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : [email protected] Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
