Unencoded strings included in viewacl javascript
Bug #817342 reported by
Richard Mansfield
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
Medium
|
Richard Mansfield | ||
1.3 |
Fix Released
|
Medium
|
Richard Mansfield | ||
1.4 |
Fix Released
|
Medium
|
Richard Mansfield |
Bug Description
The viewacl template has javascript which includes strings directly from the language pack in single quotes instead of json encoded. Strings containing single quotes will result in syntax errors and will stop the js from executing.
I'll mark this as "security" till I've had a chance to discuss it with the others, but it's only exploitable by language pack maintainers, so it's probably better as public.
Changed in mahara: | |
status: | Confirmed → Fix Committed |
Changed in mahara: | |
status: | Fix Committed → Fix Released |
milestone: | 1.5.0 → none |
Changed in mahara: | |
importance: | High → Medium |
To post a comment you must log in.
Well spotted, Richard. I do not think it is really a security issue, though it would be good to apply it to 1.3/1.4 stable as well.