User content not escaped in groupviews blocktype
Bug #669307 reported by
Richard Mansfield
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
High
|
Richard Mansfield |
Bug Description
A small number of templates still have auto_escape disabled. These didn't get updated before 1.3 because they were being worked on in parallel with the review of all templates. One of these templates displays unescaped html: blocktype/
Affects master and 1.3 stable only. This template doesn't exist in 1.2.x and the template it got copied from was fixed independently.
CVE References
Changed in mahara: | |
milestone: | none → 1.3.3 |
assignee: | nobody → Richard Mansfield (richard-mansfield) |
Changed in mahara: | |
status: | New → Fix Committed |
Changed in mahara: | |
status: | Fix Committed → Fix Released |
visibility: | private → public |
To post a comment you must log in.
Now fixed in security branches.