Mahara

User content not escaped in groupviews blocktype

Bug #669307 reported by Richard Mansfield on 2010-11-01

258

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Mahara	Fix Released	High	Richard Mansfield	Mahara 1.3.3

Bug Description

A small number of templates still have auto_escape disabled. These didn't get updated before 1.3 because they were being worked on in parallel with the review of all templates. One of these templates displays unescaped html: blocktype/groupviews/theme/raw/groupviews.tpl; the others are okay.

Affects master and 1.3 stable only. This template doesn't exist in 1.2.x and the template it got copied from was fixed independently.

CVE References

2010-3871

Revision history for this message

Richard Mansfield (richard-mansfield) wrote on 2010-11-01:

Now fixed in security branches.

François Marier (fmarier) on 2010-11-02

Changed in mahara:
milestone:	none → 1.3.3
assignee:	nobody → Richard Mansfield (richard-mansfield)

Richard Mansfield (richard-mansfield) on 2010-11-02

Changed in mahara:
status:	New → Fix Committed

Richard Mansfield (richard-mansfield) on 2010-11-07

Changed in mahara:
status:	Fix Committed → Fix Released

François Marier (fmarier) on 2010-11-08

visibility:

private → public

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.