User autocomplete selector in Mail composer not escaping the name
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
High
|
Robert Lyon | ||
16.04 |
Fix Released
|
High
|
Unassigned | ||
16.10 |
Fix Released
|
High
|
Unassigned | ||
17.04 |
Fix Released
|
High
|
Unassigned | ||
17.10 |
Fix Released
|
High
|
Robert Lyon |
Bug Description
This means that a user can set a bad name and compromise another user
To reproduce:
*) Login as "user1"
*) Click on "Main menu" - "Content" - "Profile" - "About me"
*) Insert at "First name" or "Last name" or "Display name":
<script>
*) Save with "Save profile"
*) Click on "User menu" - "0 unread" - "Compose"
*) Send a message to another user, for example:
Recipients: user2
Subject: Hello
Message: Please reply
*) Send the message with "Send message"
*) Logout as "user1"
*) Login as "user2"
*) Open the received message in the dashboard ("Inbox")
*) Click on "Reply"
*) The alert dialog appears
To fix:
Normally when we show a user's name to screen we filter it via hsc()
But in this case the name is being fetched by the autocomplete pieform element via the translate_
So we need to escape it before returning the name
information type: | Private Security → Public Security |
Patch for this /reviews. mahara. org/#/c/ 8054/
https:/