Skin title not escaped in page settings form
Bug #1707076 reported by
Robert Lyon
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
High
|
Cecilia Vela Gurovic | ||
16.04 |
Fix Released
|
High
|
Unassigned | ||
16.10 |
Fix Released
|
High
|
Unassigned | ||
17.04 |
Fix Released
|
High
|
Unassigned | ||
17.10 |
Fix Released
|
High
|
Cecilia Vela Gurovic |
Bug Description
When testing https:/
To test:
1) Set up a skin with the title:
It's all <script>
2a) If the patch for bug 1706536 is in play it should show the title as inputed but not execute the js
2b) If the patch for bug 1706536 is not present it should show the title with special characters escaped but not execute the js
3) Go to pages and collections and edit a page
4) Click on settings
You get an alert box with '1' in it
The title for the skin needs to be escaped/made safe
To post a comment you must log in.
Patch for "master" branch: https:/ /reviews. mahara. org/7907