Make sure that Mahara does not trust the portfolio content exported from Moodle

Reported by David Mudrák on 2010-12-08
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Medium
Ruslan Kabalin

Bug Description

As tracked in http://tracker.moodle.org/browse/MDL-25619, Moodle 2.0 does not clean output HTML when exporting content to a remote portfolio. From Moodle point of view, the portfolio system is responsible for the input sanitization regardless the source. Please make sure that you handle the data exported from Moodle correctly - it may contain malicious content, nasty Javascript etc.

Ruslan Kabalin (rkabalin) wrote :

We do clean_html in html blocktype, aren't we? So, there should be no sanity problems when exporting from Moodle. Though, I have added a virus check for imported files (see b64be4db).

Changed in mahara:
importance: Undecided → Medium
Ruslan Kabalin (rkabalin) wrote :

sorry, correct hash c1539baa40

Changed in mahara:
status: New → Fix Committed
assignee: nobody → Ruslan Kabalin (ruslan-kabalin)
milestone: none → 1.4.0
Changed in mahara:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers