Mahara

Make sure that Mahara does not trust the portfolio content exported from Moodle

Bug #687597 reported by David Mudrák on 2010-12-08

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Mahara	Fix Released	Medium	Ruslan Kabalin	Mahara 1.4.0

Bug Description

As tracked in http://tracker.moodle.org/browse/MDL-25619, Moodle 2.0 does not clean output HTML when exporting content to a remote portfolio. From Moodle point of view, the portfolio system is responsible for the input sanitization regardless the source. Please make sure that you handle the data exported from Moodle correctly - it may contain malicious content, nasty Javascript etc.

Tags:

Revision history for this message

Ruslan Kabalin (rkabalin) wrote on 2010-12-09:

We do clean_html in html blocktype, aren't we? So, there should be no sanity problems when exporting from Moodle. Though, I have added a virus check for imported files (see b64be4db).

Changed in mahara:
importance:	Undecided → Medium

Revision history for this message

Ruslan Kabalin (rkabalin) wrote on 2010-12-09:

sorry, correct hash c1539baa40

François Marier (fmarier) on 2010-12-20

Changed in mahara:
status:	New → Fix Committed
assignee:	nobody → Ruslan Kabalin (ruslan-kabalin)
milestone:	none → 1.4.0

François Marier (fmarier) on 2011-06-14

Changed in mahara:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.