Description of a skin should be html escaped

Bug #1373170 reported by Son Nguyen on 2014-09-23
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
High
Son Nguyen
1.10
High
Son Nguyen
1.8
High
Unassigned
1.9
High
Son Nguyen

Bug Description

Version: master (1.10), 1.9
Platform, browser: any

The skin description displayed in the pop-up window when click the 'i' button in the page htdocs/skin/index.php should be html escaped.

See the attached file

CVE References

Son Nguyen (ngson2000) wrote :
Son Nguyen (ngson2000) on 2014-09-24
Changed in mahara:
assignee: nobody → Son Nguyen (ngson2000)
status: Confirmed → In Progress

Reviewed: https://reviews.mahara.org/3715
Committed: http://gitorious.org/mahara/mahara/commit/16f0499b99b443678ef86899d8dcbe8e37689981
Submitter: Robert Lyon (<email address hidden>)
Branch: master

commit 16f0499b99b443678ef86899d8dcbe8e37689981
Author: Aaron Wells <email address hidden>
Date: Wed Sep 24 12:02:38 2014 +1200

Don't disable Dwoo autoescape in template files

Bug 1373170

Change-Id: Iff193aef8021c34cb19214d1f07d4ef8c429b3ff

Robert Lyon (robertl-9) on 2014-09-24
Changed in mahara:
status: In Progress → Fix Committed
milestone: none → 1.10.0
Aaron Wells (u-aaronw) on 2014-09-24
information type: Public → Public Security
Mahara Bot (dev-mahara) wrote :

Patch for "1.9_STABLE" branch: https://reviews.mahara.org/3718

Aaron Wells (u-aaronw) on 2014-10-20
no longer affects: mahara/1.11

Reviewed: https://reviews.mahara.org/3718
Committed: http://gitorious.org/mahara/mahara/commit/ccc6569f327f3892d76e7914727856fd4ab342ef
Submitter: Aaron Wells (<email address hidden>)
Branch: 1.9_STABLE

commit ccc6569f327f3892d76e7914727856fd4ab342ef
Author: Aaron Wells <email address hidden>
Date: Wed Sep 24 12:02:38 2014 +1200

Don't disable Dwoo autoescape in template files

Bug 1373170

Change-Id: Iff193aef8021c34cb19214d1f07d4ef8c429b3ff

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/3717
Committed: http://gitorious.org/mahara/mahara/commit/29d3f37d50c66184b3f7271c8cb2548f6176ebf0
Submitter: Son Nguyen (<email address hidden>)
Branch: 1.8_STABLE

commit 29d3f37d50c66184b3f7271c8cb2548f6176ebf0
Author: Aaron Wells <email address hidden>
Date: Wed Sep 24 12:02:38 2014 +1200

Don't disable Dwoo autoescape in template files

Bug 1373170

Change-Id: Iff193aef8021c34cb19214d1f07d4ef8c429b3ff

Aaron Wells (u-aaronw) on 2014-10-20
Changed in mahara:
milestone: 1.10.0 → none
Aaron Wells (u-aaronw) on 2014-10-21
Changed in mahara:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers