Logged-in user's name unescaped in top right header
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
High
|
Richard Mansfield |
Bug Description
Discovered by Emanuel Bronshtein. Present in 1.5
By Changing "Display name" in Content->Profile:
http://
to:
XSS<script>
then click "Save profile".
javascript code executed on every request to mahara pages when the user log-in to the system.
(unfiltered HTML printed near "Settings" in top of the page)
---
I think the display_
In the long term perhaps we should reconsider the policy for calls to php functions in the dwoo templates - I believe the policy can be changed to disallow calls to arbitrary php functions, or to escape the output from them, but a change like that would require testing all our templates, and lots of work for 3rd party plugins & themes.
Changed in mahara: | |
status: | Confirmed → Won't Fix |
status: | Won't Fix → Fix Released |
assignee: | nobody → Richard Mansfield (richard-mansfield) |
visibility: | private → public |
Patch for master. You may need to remove dwoo/cache and dwoo/compile from dataroot before this takes effect.