Mahara

Description of a skin should be html escaped

Bug #1373170 reported by Son Nguyen on 2014-09-23

256

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Mahara	Fix Released	High	Son Nguyen
1.10	Fix Released	High	Son Nguyen	Mahara 1.10.0
1.8	Fix Released	High	Unassigned	Mahara 1.8.5
1.9	Fix Released	High	Son Nguyen	Mahara 1.9.3

Bug Description

Version: master (1.10), 1.9
Platform, browser: any

The skin description displayed in the pop-up window when click the 'i' button in the page htdocs/skin/index.php should be html escaped.

See the attached file

CVE References

2014-8699

Revision history for this message

Son Nguyen (ngson2000) wrote on 2014-09-23:

Skins - Mahara - Chromium_040.png Edit (109.8 KiB, image/png)

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2014-09-24: A patch has been submitted for review

Patch for "master" branch: https://reviews.mahara.org/3715

Son Nguyen (ngson2000) on 2014-09-24

Changed in mahara:
assignee:	nobody → Son Nguyen (ngson2000)
status:	Confirmed → In Progress

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2014-09-24: A change has been merged

Reviewed: https://reviews.mahara.org/3715
Committed: http://gitorious.org/mahara/mahara/commit/16f0499b99b443678ef86899d8dcbe8e37689981
Submitter: Robert Lyon (<email address hidden>)
Branch: master

commit 16f0499b99b443678ef86899d8dcbe8e37689981
Author: Aaron Wells <email address hidden>
Date: Wed Sep 24 12:02:38 2014 +1200

Don't disable Dwoo autoescape in template files

Bug 1373170

Change-Id: Iff193aef8021c34cb19214d1f07d4ef8c429b3ff

Robert Lyon (robertl-9) on 2014-09-24

Changed in mahara:
status:	In Progress → Fix Committed
milestone:	none → 1.10.0

Aaron Wells (u-aaronw) on 2014-09-24

information type:

Public → Public Security

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2014-09-24: A patch has been submitted for review

Patch for "1.8_STABLE" branch: https://reviews.mahara.org/3717

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2014-09-24:

Patch for "1.9_STABLE" branch: https://reviews.mahara.org/3718

Aaron Wells (u-aaronw) on 2014-10-20

no longer affects:

mahara/1.11

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2014-10-20: A change has been merged

Reviewed: https://reviews.mahara.org/3718
Committed: http://gitorious.org/mahara/mahara/commit/ccc6569f327f3892d76e7914727856fd4ab342ef
Submitter: Aaron Wells (<email address hidden>)
Branch: 1.9_STABLE

commit ccc6569f327f3892d76e7914727856fd4ab342ef
Author: Aaron Wells <email address hidden>
Date: Wed Sep 24 12:02:38 2014 +1200

Don't disable Dwoo autoescape in template files

Bug 1373170

Change-Id: Iff193aef8021c34cb19214d1f07d4ef8c429b3ff

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2014-10-20:

Reviewed: https://reviews.mahara.org/3717
Committed: http://gitorious.org/mahara/mahara/commit/29d3f37d50c66184b3f7271c8cb2548f6176ebf0
Submitter: Son Nguyen (<email address hidden>)
Branch: 1.8_STABLE

commit 29d3f37d50c66184b3f7271c8cb2548f6176ebf0
Author: Aaron Wells <email address hidden>
Date: Wed Sep 24 12:02:38 2014 +1200

Don't disable Dwoo autoescape in template files

Bug 1373170

Change-Id: Iff193aef8021c34cb19214d1f07d4ef8c429b3ff

Aaron Wells (u-aaronw) on 2014-10-20

Changed in mahara:
milestone:	1.10.0 → none

Aaron Wells (u-aaronw) on 2014-10-21

Changed in mahara:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Skins - Mahara - Chromium_040.png Edit

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.