XSS in page content editor

Bug #1375092 reported by Simon Coggins on 2014-09-29
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
High
Robert Lyon
1.10
High
Unassigned
15.04
High
Robert Lyon

Bug Description

Steps to reproduce in master:

1. Create a page
2. Click "Text box" in the content editor
3. Enter "<script>alert(1);</script>" without the quotes in the "Block title" and save the block
4. Click "Text box" in the content editor again. (Note: do not drag/drop a text box, only happens if you click)

What happens:

An alert is popped up on the page.

What should happen:

Alert should not be shown.

Proposed fix is attached as a patch. Note that while the attached patch fixes it for me there are other references to h2.title in that file, so you might want to confirm that this fixes it properly.

Simon

CVE References

Simon Coggins (simon-coggins) wrote :
Aaron Wells (u-aaronw) wrote :

Thanks for the bug report & patch, Simon!

Changed in mahara:
importance: Undecided → High
milestone: none → 1.10.0
Robert Lyon (robertl-9) wrote :
Changed in mahara:
status: New → In Progress
assignee: nobody → Robert Lyon (robertl-9)
Aaron Wells (u-aaronw) wrote :

Patch for 1.10_STABLE: https://reviews.mahara.org/3852

Changed in mahara:
status: In Progress → Fix Committed
Aaron Wells (u-aaronw) on 2014-10-21
information type: Private Security → Public Security
tags: added: regresion
tags: added: regression
removed: regresion
Robert Lyon (robertl-9) on 2015-04-17
Changed in mahara:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers