journal titles not being escaped

Bug #1720034 reported by Cecilia Vela Gurovic on 2017-09-28
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
High
Robert Lyon
15.04
High
Unassigned
16.04
High
Unassigned
16.10
High
Unassigned
17.04
High
Unassigned
17.10
High
Robert Lyon

Bug Description

Steps to test:

- create a journal
- set title to:
 <script>alert(1)</script>
- save
alert is displayed

- add an entry to the journal
- set title to:
 <script>alert(1)</script>
alert is displayed

Robert Lyon (robertl-9) on 2017-09-28
Changed in mahara:
milestone: none → 17.10.0
status: Confirmed → In Progress
information type: Private Security → Public Security

Reviewed: https://reviews.mahara.org/8224
Committed: https://git.mahara.org/mahara/mahara/commit/77cc040b93c031d9e54edad5616d29e14de6664f
Submitter: Robert Lyon (<email address hidden>)
Branch: 15.04_STABLE

commit 77cc040b93c031d9e54edad5616d29e14de6664f
Author: Robert Lyon <email address hidden>
Date: Thu Sep 28 14:07:40 2017 +1300

Bug 1720034: Journal/Journal post title not being escaped in delete button

behatnotneeded

Change-Id: I6f0c82a74e0d60614230aac1d4fc3884eae387a5
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit c367be4d30e4b0dd45cd76373b19c7393f7809ee)
(cherry picked from commit 465b7df21db3c4cb2780475d46ec77bcebda8831)

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/8223
Committed: https://git.mahara.org/mahara/mahara/commit/3d9d5a43f5e5665207e41171b06d2f9129c0183f
Submitter: Robert Lyon (<email address hidden>)
Branch: 16.04_STABLE

commit 3d9d5a43f5e5665207e41171b06d2f9129c0183f
Author: Robert Lyon <email address hidden>
Date: Thu Sep 28 14:07:40 2017 +1300

Bug 1720034: Journal/Journal post title not being escaped in delete button

behatnotneeded

Change-Id: I6f0c82a74e0d60614230aac1d4fc3884eae387a5
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit c367be4d30e4b0dd45cd76373b19c7393f7809ee)
(cherry picked from commit 465b7df21db3c4cb2780475d46ec77bcebda8831)

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/8222
Committed: https://git.mahara.org/mahara/mahara/commit/35f72449a09c0db4300dd6d1ff801609dfea86b1
Submitter: Robert Lyon (<email address hidden>)
Branch: 16.10_STABLE

commit 35f72449a09c0db4300dd6d1ff801609dfea86b1
Author: Robert Lyon <email address hidden>
Date: Thu Sep 28 14:07:40 2017 +1300

Bug 1720034: Journal/Journal post title not being escaped in delete button

behatnotneeded

Change-Id: I6f0c82a74e0d60614230aac1d4fc3884eae387a5
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit c367be4d30e4b0dd45cd76373b19c7393f7809ee)
(cherry picked from commit 465b7df21db3c4cb2780475d46ec77bcebda8831)

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/8221
Committed: https://git.mahara.org/mahara/mahara/commit/039bbd9b5c350e1a9f2b895aeefb661dace62021
Submitter: Robert Lyon (<email address hidden>)
Branch: 17.04_STABLE

commit 039bbd9b5c350e1a9f2b895aeefb661dace62021
Author: Robert Lyon <email address hidden>
Date: Thu Sep 28 14:07:40 2017 +1300

Bug 1720034: Journal/Journal post title not being escaped in delete button

behatnotneeded

Change-Id: I6f0c82a74e0d60614230aac1d4fc3884eae387a5
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit c367be4d30e4b0dd45cd76373b19c7393f7809ee)
(cherry picked from commit 465b7df21db3c4cb2780475d46ec77bcebda8831)

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers